Why are corporate cyberattacks getting worse? The answer is simple – there are weak links. And the bigger the corporation, the more weak links there are. The problem lies in that the typical corporate strategy and POA for preventing future attacks always seems to point to ‘conduct regular training’ and ‘distribute informational resources.’ But let’s be honest, when was the last time anyone paid serious attention to those?
With the hackers getting smarter, and more opportunistic, organizations need to rethink their strategy and start with the “what” and the “why” when it comes to understanding the less than adequate results of their current cyberattack prevention strategy. The “what” is “what is preventing my employees from easily following their security directives?” The “why” is “why aren’t my employees taking the necessary steps to curb cyberattacks once they have the solution in hand?” And, do they really have a solution or just something that creates more roadblocks, more headaches, and more barriers to adoption? In my career working in both the public and private sector it is clear that a lot of ongoing problems are a result of not digging in and fully understanding the constructs of human behavior or better ‘bad behavior’ that leads to this current predicament.
With the recent spikes in high profile cyberattacks, people are more aware of the direct impact data breaches and ransomware can have on their lives; take the frantic gas panic buying that happened post-Colonial Pipeline breach for example.
TurboTax also recently experienced a breach (their third) as a result of its users not managing passwords correctly, which is arguably one of the simplest ways to protect your personal data Following this breach, FYEO’s team dug into it and found 20k+ incidences of TurboTax’s own employees using credentials that were compromised in past breaches. Tough to demand it from your customers when your own employees aren’t exercising security best practices, either.
Employees are continuously deemed the “weak link” in any organizational cybersecurity simply because convenience is nearly always chosen over security. How can we shift this dynamic and put the onus not just on the employee but also the company to manage the employee’s natural instincts as part of any solid defensive program? How can we enable the company to do that effectively? With the current “work from home” climate we live in, there is more crossover from personal to work devices, which means this problem will only escalate with even lower levels of visibility for IT managers into employee’s online habits, especially when it comes to credential management.
The purpose of this article is not to propose the magic bullet or technical tool to solve this issue, but instead to reexamine how organizations can approach and actually start solving this issue with new approaches. If we start with the approach of gaining a better understanding of the context, situation and behavior of the individuals in the organization, we can then work to see how best to motivate and empower people to make change that benefits not just themselves but the organization as a whole.
Why the “do as I say” approach fails time and time again
Whether it’s cybersecurity or eating healthy, simply telling someone to do something because it’s good for them has never been a winning approach. It’s the equivalent of telling a child to eat their daily vegetables and expecting them to follow suit. People in general never do something simply because they are told it’s good for them or that they have to do it. We as humans tend to follow the path of least resistance and weigh in microseconds the cost benefit analysis of performing an action. If we really want to enable change, we need to empower, reward (no I don’t mean dollars and cents), and provide a feedback loop at the point of action. Imagine a video game where there was no winner at the end or no way of measuring your success. Would people be motivated to play? Of course not, and the same is true with completing the remedial task of not using the same password over and over again. While at the end of the funnel the human is ultimately the weakest link, it’s really a result of the game not being constructed in a way that empowers people to make the necessary behavioral changes.
Start with people, not tools
There are no shortage of tools out there that, when properly deployed, can help prevent organizations from falling prey to cyber attacks. The trick is getting people to use them effectively. The reason being we are throwing tactics and tools at people instead of reinforcing and starting with the basics, which is quite simple: better passwords. Poor password management due to reuse of the same passwords over and over, (and in many cases, passwords that have already been leaked on the dark web) remains the number one vulnerability for both organizations and individuals. That’s because these passwords are linked to every aspect of our digital lives, inside and outside the office.
A path forward – tips for getting employees to participate
Most of the training I’ve been part of immediately jumps to the point at which bad things happen. Most of these scenarios focus on how it impacts the business instead of creating an understanding between employee and organization on how it impacts the individual as well. So the “what’s in it for me” question is never really understood. People in general don’t normally understand the true impact of password reuse, normally stating that “there was no critical information tied to that account.” That may be true, but if that same password is used on other accounts that link PII, financial information, etc, that gives a nefarious actor the power to really wreak havoc and cause real damage. And with the average user today using five or fewer passwords across all accounts, it makes sense why this remains such a pervasive and growing issue
Pick a password manager that all employees, regardless of technical know-how, can use. So many password managers out there are full of feature bloat that makes the whole process of getting employees to use good credential hygiene confusing. The second someone encounters a hurdle to getting started, they immediately shut off so a password manager that focuses solely on the credential management aspect keeps the employee focused on what is important for themselves and the security of the organization. Simple tools, simple solutions.
Solving for the human element today is not insurmountable, it just takes a change of approach and consideration of the mindset of the individual first before going directly to the tactic. Innovations in credential management such as automating the process of updating breached passwords without user input and disabling the ability to reuse previously saved passwords will take much of the onus out of the hands of the individual and will help us start to close the gap. When we accomplish that, then we go from being reactive to proactive in keeping organizations secure.