Читать книгу The Security Culture Playbook - Perry Carpenter - Страница 10

You've undoubtedly been presented with this dilemma before. Someone says that it's worthless to focus on the human side of security because, no matter what, there will always be someone who will fall for a phishing email or make some other error. In short, their argument is that the human defense isn't 100 percent effective, so it can't be relied on and doesn't deserve an investment of time, energy, or funding.

You'll even hear some make claims to the effect of, “only technology will help an organization prevent security issues.” This type of thinking has been prevalent in security circles for decades and has led to the situation that we're in right now, where the human layer has been neglected.

A quote from the preface of Bruce Schneier's book Secrets and Lies is fitting here. Bruce ends the preface with these words, “[a] few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology” (Schneier, 2000).

The following is an excerpt from Perry's book, Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Carpenter, 2019). The excerpt does a good job summarizing why this is a false dichotomy. This shouldn't be presented as an either/or dilemma.

As an industry, we will always have to solve (and evolve) for both sides of the equation (technology and humanity). Not implementing standard and reasonable technology-based tools proven to improve an organization's security posture would be negligent. Similarly, not acknowledging that technology will never be 100 percent effective at preventing cybercriminals from creating well-crafted attacks targeting humans, such as emails or other messages that reach your end users, is also negligent. Neither approach is mutually exclusive of the other. And whenever we create stronger security protocols intended to help our organizations, there will be a group of employees who will intentionally or unintentionally find ways to bypass those controls. The human element must be a factor in the deployment of technology, and it should be understood as a security layer in and of itself. Your defense-in-depth security strategy should always account for the following:

 Determined human attackers who are continually probing for flaws within your security technologies (and that flaws will always exist)

 Unwitting employees who find themselves on the receiving end of a cybercriminal seeking to accomplish their goals by going around the technical layers of an organization's defenses, targeting humans instead

 Employees who negligently or intentionally circumvent technical controls

 Employees who negligently or intentionally divert from the organization's policies, controls, and processes

 The interdependency between policies, controls, and processes that exist in the physical world and those of the organization's technology-based systems

 The ever-evolving ecosystem of mobile, IoT, and other new technology-based systems that your people will engage with

 The reality that digital data can easily spill into the physical world (e.g., printouts, whiteboards, conversations, and so on)

Thinking about this, we can safely conclude that the human element of security will always be something that deserves intentional focus.

If you need more evidence that traditional technology-centric approaches to security are ineffective at stemming the tide of data breaches, then you owe it to yourself to have a look at Verizon's Data Breach Investigation Report (DBIR). Each year, the Verizon DBIR provides a deep analysis into the types and causes of data breaches. And each year, they find that a vast majority of data breaches are caused by some form of exploitation of the human element or by human error. For instance, the most recent report as of this writing, Verizon's 2021 Data Breach Investigation Report, found that of the over 5,250 breaches they analyzed, 85 percent involved the human element (Verizon, 2021; Sheridan, 2021).

It's time to remove our rose-colored techno-centric glasses. Technology cannot and will never block all threats that involve humans. And that's why a focus on security culture is critical.

It's time to remove our rose-colored techno-centric glasses. Technology cannot and will never block all threats that involve humans. And that's why a focus on security culture is critical. This is a rallying call to build up our human layer of defense.

Let's face it. We already know what we have to lose by not focusing on the human layer. Breaches are on the rise. Phishing is on the rise. Ransomware is more rampant and destructive than ever (Register, 2021), growing at a rate of over 150 percent in just the first half of 2021 (Seals, 2021). Cybercriminals are constantly searching for the least fortified aspects of your defenses. It's clear that technology alone will never adequately defend your organization. It's time to move beyond paying lip service to the human side of security. It's time to intentionally focus on building a healthy security culture.