Human Cybersecurity

By Ami Toben

Last year I was invited to the third annual Physical and Cyber Threat Convergence Forum in Phoenix, Arizona. I previously wrote what has become a very well-read article about this important initiative. Here comes the next one.

It was initially surprising to discover that many in the information/cybersecurity sector envy us in the physical security side because our industry is a) generally effective at what we try to do, and b) quite well established, with many years of experience. This was surprising to me because the information/cyber side of things always seemed so much more organised and well-funded compared to us.

Now, since I still fall into the physical security side of things and, as long as this divide still exists (there are some good people working on breaking it down), I thought I would try to offer my info/cybersecurity friends a few insights from my experience in the physical side.

Defining the Problem

People outside the information security sector are usually surprised to learn that the human factor accounts for the overwhelming majority of cyberattacks. It was certainly surprising for me at first. Systems and programs might be complex and advanced, but humans are still relatively easy to deceive. Duping someone into clicking on a link or downloading a program through various phishing and social engineering tricks is still a simple and effective way to execute any number of cyberattacks.

Okay, so the human factor is the main vulnerability in any company or system. Got it! It was surprising to learn this at first, but once you find out about it, there it is. So, what do we do about it? Well, not much, as it turns out.

Information security experts seem completely obsessed with defining the problem – over and over and over again. Yes, we understand the human factor is the biggest vulnerability. It is a fact. Got it. Thank you. Why not stop just complaining about it and start developing effective strategies and tactics to prevent and combat it?

The only solutions I keep bumping into are either training or some flavour-of-the-month, flashy silver-bullet product that is supposed to be the end-all-be-all solution. Training usually takes the form of how to better educate the workforce on cyberattacks and how to get people to stop downloading or clicking on stuff. And, in the flashy, silver-bullet solution department, artificial intelligence (AI), in whatever form the term is interpreted, seems to reign supreme.

Well, training and nifty new systems are fine. We employ a good amount of them on the physical side too. And yes, to be fair, training has been shown to be generally effective in lowering click rates and AI can indeed provide many solutions. But phishing and social engineering attacks are still so overwhelmingly effective; combating information security attacks by training and trendy new systems alone is about as effective as two farts in a hurricane.

Do Something – Different!

Now, since the main threat comes from people, and the main vulnerability that is exploited is people, maybe us physical security guys can give you a bit of advice. After all, we have been in the people business forever.

Physical security efforts (even if assisted by high-tech systems) are usually directed at people and largely executed by people. Most of the highest risks we try to mitigate have to do with people and most screening and assessment efforts are attempts to distinguish between people who pose a security risk and people who do not.

So, here is where I am going to go out on a limb and try to suggest a time-tested physical security strategy. Are physical security strategies guaranteed to work for information security? I honestly do not know. But hear me out first.

On the physical side of things, most companies start out like this:

  1. You have a small workforce in a small workspace with relatively small physical security concerns. As long as the property containing the workspace is generally controlled and employees are given some form of ID that proves they belong there and that can grant them access to the workspace (key card, fob and so on), you are pretty much good to go.
  2. As companies become larger, security concerns tend to follow suit. That is when companies start upgrading their security systems, revise their security policies and procedures and look into security training.
  3. As companies become larger still, vulnerabilities and security concerns continue to follow suit. And this is usually when companies start having to employ protective/guard services on top of their existing measures.

So, that how it works on the physical side. The limb I am going out on is the idea that information security might be able to employ this successful strategy too. It seems to me that information security is stuck somewhere in stage 1 or 2, when the need to enter stage 3 is long overdue.

The big question is what in the world are effective information security protective services? And to tell you the truth, I do not exactly know. All I am saying is that there seems to be a need to move past the stage of diagnosing the problem over and over again; past the stage of complaining about the problem over and over again; past the stage of just training the workforce over and over again; and past the stage of looking for the next mythical silver-bullet solution over and over again.

Maybe it is time to think outside the cyber box. Is it really that crazy to consider that time-tested physical security strategies might also work for information security? After all, our goals are quite similar – we protect our assets from external and internal threats. We even define things in much the same ways, with risk and threat mitigation, hostile attacks, security awareness, preventive and reactive measures, access control, Red-Teaming, penetration testing and more.

Of course, it is not going to look the same and the implementation of these strategies will be different. You are not going to see any uniformed information security officers patrolling your workspace. But it seems to me that a layered approach with circles of security, better perimeters, more stringent access control, more external and internal monitoring and a general assertion of control over the assets and their environment is the way to go. And since people (the bad guys) keep exploiting human vulnerabilities in the system, maybe we should have other people (the good guys) prevent them from doing so.

Many companies already have well-established information security departments, some even equipped with security operations centres (SOCs). Adding more of a human factor to it will probably necessitate bigger budgets (as it does on the physical security side), but what other choice do you have? What is the point in just repeating a failed strategy, knowing full well that the chances of your assets being targeted through your known vulnerabilities are something like 100 percent?

Security systems, protocols, training and awareness are necessary but not sufficient measures for achieving this. They will work to some extent during stages 1 and 2 but, if you have a large enough organisation (or just one with large enough security concerns and vulnerabilities), you are going to need people in the form of professional screeners and gatekeepers to maintain and enforce a security program. Not periodically, not just with remote management, not just with spot checks, not just in educational sessions, but continuously, in the field, in real time.

It works for physical security. Let us find a way to implement it for information security too.

An experienced security director, consultant, trainer, operator and business developer, Ami Toben has over 14 years of military and private sector security experience, and a successful record of providing full-spectrum, high-end services to Fortune 500 corporations, foreign governments, foundations, non-profit organisations and wealthy individuals. Ami is currently director of consulting, training and special operations at HighCom Security Services, a US-based high-end security specialising in protective services, security systems, consulting and training.

Possible breakout quotes:

People outside the information security sector are usually surprised to learn that the human factor accounts for the overwhelming majority of cyberattacks… Duping someone into clicking on a link or downloading a program through various phishing and social engineering tricks is still a simple and effective way to execute any number of cyberattacks.

Information security experts seem completely obsessed with defining the problem – over and over and over again.

Maybe it is time to think outside the cyber box. Is it really that crazy to consider that time-tested physical security strategies might also work for information security? After all, our goals are quite similar – we protect our assets from external and internal threats.