Reducing 'Human Vulnerabilities' Key to Winning Cyber Security Battles
There's an old saying that generals always prepare to fight the last war. Not because they expect no future wars, but rather that the preparations undertaken were exactly what was needed to fight the war that was most recently staged. A new report from Nuix, based on a white paper, The Human Vulnerability, from cyber security pro Chris Pogue, suggests that a similar phenomenon has happened in cyber security, as most professionals are turning to the wrong weapons and wrong tactics, needing instead to address human vulnerabilities.
Pogue, who serves as Nuix's senior vice president for cyber threat analysis, noted that out of over 2,500 data breaches investigated, not one was caused by a “non-human-initiated system failure.” This led Pogue to note that “people are the problem,” and that addressing cyber security in the future must focus on issues of people rather than systems. Pogue even goes so far as to offer a complete plan of attack designed to address those “people problems” related to cybersecurity.
Pogue commented “Do we have what it takes to outsmart our own brains and stop ourselves from repeating the mistakes of the past. Hopefully we can set ourselves up for the next 20 years, get serious about security, address the real human vulnerability, and start reclaiming surrendered ground.” Given that Nuix offers a set of cyber security tools that address some of the same points Pogue does, it's a safe bet that there's something to all this.
However, I don't think most people are going to take kindly to being addressed as if they were faulty machines. Hence, Pogue's study, despite its validity may get some pushback.
Putting aside the tone, designed to catch attention, the conclusions are statistically reasonable. Realties are that weak passwords, passwords left sitting around where anyone can read and use them later, people willing to sell passwords to corporate systems for less than $100 in some cases, etc., are all creating vulnerabilities that 100 percent caused by humans. In fact, some reports suggest that as much as 91 percent of all user passwords fit into a list of 1,000 common passwords.
This raises the question, “What can be done?” The sheer number of password-protected accounts most of us deal with every day requires some level of simplification or we'd never remember anything. That's where things like password managers can be helpful. Unfortunately, not everyone's sufficiently familiar with them, or even if they are familiar they fail to use them and follow best practices.
Some think pulling passwords altogether may be key, with biometrics taking point instead. Indeed, non-password solutions that also include various types of multi-factor authentication are becoming the order of the day. This is the result of a sense of urgency that is reflected in the headlines as data breaches are increasing in their frequency and sophistication. Therefore, whatever we do, however, we need to do it needs to be done quickly. And, based on the evidence it needs to be done by greatly diminishing the human factor in multi-factor authentication, and in assuring there are tools to detect anomalous behaviors as quickly as possible to detect risks and effectuate appropriate remediations.