dispelling myths about the human factor in information security
High-profile cybersecurity scandals in which employees of large companies and government agencies were found guilty have become one of the main topics of the last three years. From confidential data leaks to large-scale hacker attacks, insiders played a key role in many incidents, using their official powers to harm employers. The culprits have been found and punished, the case is closed. But is the issue of guilt so clear-cut in these cases? Can patterns be found in these stories?
Indeed, the statistics are impressive: starting from the scandal with Anthem Inc., where 78 million personal customer data were stolen by an IT employee, and ending with the hacking of Russian government agencies – all of these stories involve guilty insiders who were sentenced to impressive prison terms.
But when investigating such cases, a whole range of factors that could influence the employee's behavior and ultimately provoke him to illegal actions are often overlooked. And, most importantly, these factors, as a rule, are hidden within the organizations themselves: in their systems of hiring, monitoring and motivating personnel.
Stanislav Karpovich, Deputy Director of the Cyberpolygon Department for Business Developmentin a new article I tried to dispel several myths about the human factor in cybersecurity.
Myth 1: Hardware is more important than people
By the end of 2023, the total amount of damage from incidents related to information security breaches will be amounted to about 156 billion rubles. The insider factor is prevalent in incidents involving data leaks due to deliberate actions by insiders. As investigations of cyber incidents show, many organizations do not monitor the activity of their employees, which allows insiders to steal data for years without fear of exposure. Average damage from one information leak for Russian organizations in 2023 amounted to about 5.5 million rubles, and there may be several such incidents during the year.
To reduce such risks, entire classes of information security solutions have been developed. First of all, these are DLP systems that prevent the risks of data leaks, IdM class solutions for managing accounts and access rights, and PAM systems for controlling privileged users. These solutions reduce the risks due to internal attackers, but are not able to resist social engineering methods that an ordinary person is susceptible to.
And when such a “weak link” does succumb to hackers’ tricks, it is declared guilty, although the root cause lies deeper – the insufficient level of cyber literacy of company employees and the low level of investment in Security Awareness programs and training of cyber defense teams.
The question is not whether cybercriminals can sway an employee to the “dark” side – they can. The question is the amount of resources that it will take and the amount of potential damage they can cause.
Companies easily allocate billion-dollar budgets for hardware and software, but avoid a systematic approach to developing the skills of their employees. And there are practically no such automated solutions on the market. The circle is closed. What is needed, that the market has formed a demand for employee control and development systems that will strengthen information security measures?
Myth two: we check everyone thoroughly
Recent case American company KnowBe4which accidentally hired a hacker from North Korea, is quite revealing. The “candidate” successfully passed four rounds of video interviews, the candidate did not arouse suspicion at any of the stages. On the very first day, having received a working Mac, the new employee began downloading malware, this manipulation was stopped by the security operations center (SOC). As further investigation showed, the “employee” was physically located in North Korea and connected to the work device through a “laptop farm” using a virtual private network.
Yes, a case of this scale is rare, but in general the hiring process remains one of the most difficult areas. In an effort to fill vacancies as quickly as possible, HR departments sometimes neglect to thoroughly check the background and track record of candidates. As a result, people with a compromising past may end up in key positions, who subsequently become the cause of serious incidents.
In the near future, the crisis in the labor market will only escalate. We are already seeing the trend of “one-day offer” with the motivation: “if we don't send an offer, others will, and this position hasn't been filled for six months.” Therefore, it is unlikely that verification in the current format will remain an effective barrier for unreliable candidates.
Myth three: the scapegoat is always to blame
Finally, we cannot discount the personal motives of insiders – from financial difficulties to revenge against the employer. One of the motives may be banal burnout, dissatisfaction with current tasks, the atmosphere in the company, personal conflicts with employees in similar positions or top management.
Three former employees of the US Department of Homeland Security stole the personal data of hundreds of thousands of government employees. Murali Venkata, Charles Edwards and Sonal Patel were convicted of conspiracy to steal. According to according to the investigationthe data of more than 200 thousand people was at risk. In addition, the criminals were going to develop their own commercial system to sell it back to the feds, for this they stole government software.
However, here too the question is why the employees found themselves in such a situation and why the organization was unable to detect and prevent it in time? Of course, there are ways to reduce the number of such incidents due to the fault of the employee, but it is much more important for people to correctly assess their own risks and the potential damage from their actions.
Myth 4: Our information security department is invulnerable
Since 2022, we have been conducting regular cyber training for information security engineers, SOC analysts, and incident response experts. The demand for them is growing every year, as are the requirements for their qualifications at the entrance and during the work process.
Until 2022, international certification systems were very important for assessing the skills of candidates and employees, and after international certification centers left Russia, the possibility of practical verification of competencies at such a level did not develop. But even the certification system did not provide an understanding of what relevant knowledge and skills an employee possesses, since the requirements for qualifications are constantly growing and they grow non-linearly, but in bursts.
Since 2020, we have conducted more than 300 cyber exercises for 5,000 employees of companies and government organizations. And we can highlight two trends that we observe in the professional community.
Firstly, it has become clear that the level of competence of “paper” information security specialists is insufficient for responding to incidents. Secondly, gaining experience directly during an incident is too expensive for a company that is responding to a cyber attack in an instant.
An analogy can be drawn with the training of firefighters, who maintain their skills during training so that at the right moment they can do everything correctly and quickly. Another example is the training of a racing car pilot, who will practice turns on a virtual track 100 times before getting behind the wheel in Monte Carlo. Similarly, an airplane crew works through all possible negative scenarios before each flight.
Therefore, in IS, the process of developing competencies should become as integral a part of the workflow as filling out a pilot report or tracking the validity of licenses.
Myth #5: Employee training is the responsibility of the employees themselves
The desire of HR and company managers to attract ready candidates with all the competencies is understandable and logical. At the same time, the cyber defense team, like Formula 1 pilots, should regularly participate in cyber exercises to improve their skills in practical response to attacks. Criminals are constantly improving their hacking tactics and techniques, which means it is important for the information security team to be, if not ahead, then on par.
Therefore, cyber training programs are being developed for cyber defense teams, which are held at cyber polygon platforms. Ideally, it is better to regularly conduct command and staff training to work out various incidents. And then, based on SLA metrics, determine which competencies and which employees are important to improve.
The next step is to create a development plan for each cyber defense employee, or Blue Team, with evidence of the acquired skills. It is important to know the people on whom the success of repelling a cyber attack and minimizing damage depends. For example, a competency matrix is a visual way to understand what type and level of attacks the company is protected from, and in what scenario there will be no chance.
No specialized seminar will make your information security specialist Neo in the Matrix. Only practice, constant development of skills in protecting various industry infrastructures and teamwork.
To a certain extent, this process will require a revision of the strategy for training personnel in information security, and will raise the issue of adapting the team to force majeure. In this case, the problem of “Vasya”, or the scapegoat, will definitely not be so acute for Russian business and government organizations.
