Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Adam Marre
Adam Marre
Connect Directly
E-Mail vvv

Creating a Security Culture & Solving the Human Problem

People are the biggest weakness to security breaches; people can also be your organization's biggest defense.

Through nearly a dozen years of experience at the FBI and now at Qualtrics, I've seen that many of the most successful hackers no longer first look for software vulnerabilities. They're coming after your people. The reason is simple: It's cheaper, it's easier, and it works.

Massive telecom data breach? Unprotected vendor server. Prominent media company? Stolen credentials. Website with compromising emails? Former contractor. All of these major breaches resulted from mistakes of individuals. The threat vector is you.

Despite years of education, millions of pages of policy, and pervasive annual mandatory trainings, 60% of security professionals rank employee carelessness or negligence as a top threat, up from 44% in 2015, according to the EY Global Information Security Survey. Fully 66% of all cyber insurance claims stemmed from employee negligence or malfeasance, according to a 2017 report from Willis Towers Watson.

But although we keep having human breaches, we haven't changed the behaviors that lead to these breaches. On average, 4% of targets in a phishing campaign will click, according to Verizon's 2018 Data Breach Report. Furthermore, people who have clicked once are more likely to click again.

Why? Because most modern workers think they know how to avoid security threats. We no longer have an awareness problem: Workers have heard the basics about phishing. We have a false confidence problem. Knowing about security threats is only half the battle. Employees also have to know what actions to take.

Awareness vs. Response
Qualtrics conducted a study of roughly 1,000 US adults to test two related, but significantly different points: awareness of phishing threats and appropriate responses to phishing threats. The gap was striking.

We found that more than 70% of US adults knew what phishing was, and more than half said they knew how to avoid becoming a victim.

Appropriate Response
But when we asked harder questions from the same sample, we saw far less confidence. Only 10% of respondents knew the right way to determine if a link is legitimate. Equally concerning, one in three US adults incorrectly said that only clicking on links from people they know would protect them from falling victim to a phishing attack.

You are still the target, and the problem is getting worse because of the human gap. People develop false confidence when they’re aware of a problem but don’t know how to properly address it. Because security experts are still learning how to address human security vulnerabilities, even the best can substitute mere awareness for preparation.

Filling the Confidence Gaps with Elbow Grease
A lot of people purchase online training videos and throw them at the problem, or check the box for cybersecurity training by having their IT personnel provide basic reminders in training once a year. This kind of attitude can be even more dangerous than letting cybersecurity slip from top-of-mind. When companies focus on merely checking that box, they can lull themselves into a false sense of security, thinking their annual lecture or testing has prepared employees for future attacks.

If companies put as much thought, planning, and execution into helping their employees avoid cyber threats as they did creating firewalls and preventing software breaches, they would increase the security of their organization. But that seems like a lot of hard work for already overburdened security professionals. This could mean increasing training or implementing other processes for sharing information.

I have investigated dozens of cases where victims didn't click a link or download any file, yet they still were tricked by a phishing email and lost millions. Awareness training and tests are an essential part of securing an organization. However, the end goal should be to create a security culture, not to just make people more knowledgeable. Culture implies intrinsically motivated action, which is what companies need to protect themselves.

Start from the Top
The most effective training program in the world will have a hard time gaining traction among employees if they don’t see those precautions and practices being demonstrated by leadership. Without an example from the top, the environment for a security-minded culture to develop won't exist.

This culture is crucial for the same reason public health officials stress the necessity of herd immunity via vaccinations: If the bulk of a population is protected against a threat, that population has a much lower risk of being damaged by that threat. Exemplifying secure practices can help executives protect their workforce against breaches.

Leading the charge doesn’t have to take a lot of time or effort. It could be as simple as executives always wearing the security badges they expect employees to carry, or encouraging employee discussion during cybersecurity training.

Follow Up
Training or a phishing test is a great start, but what happens after that? Without following up on training, employees can forget crucial security measures, and the subject can drift into perceived irrelevance until the next year’s exercise.

Keep the message current by reiterating it throughout the year. Maybe that means instead of having one big training per year, you break it down into smaller quarterly training sessions. Maybe it’s having regular testing or routinely having conversations about cybersecurity. A combination of initiatives — an occasional newsletter with tips, regular training, etc. — can help foster a secure culture by imparting the severity of the problem and the necessity of every employee’s efforts to solve it.

Hardening devices and patching software are only part of the battle to secure your enterprise. Today, you must test and train employees and help them stay accountable for security practices. Each individual is a major threat vector to your organization, so you must create a culture of security and frequently reiterate the message. A security mindset in every employee is the only thing that will close the human security gap and the only way to truly protect your company.

Related Content:

Adam Marrè, CISSP, GCIA, GCIH, is a Qualtrics information security operations leader and former FBI cyber special agent. Adam has more than 12 years experience leading large-scale computer intrusion investigations and consulting as a cybercrime ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
2/13/2019 | 1:48:17 AM
Hacking people, not systems
There have been several similar cases in different security lapses incidences. Most of them involve individuals who were negligent in their line of work though their expertise was security. Some of them were too engaged in other affairs to keep up with stringent security measures whilst others were basically performing data breaches on purpose. 
User Rank: Strategist
2/13/2019 | 1:05:00 AM
People can't do what they don't know
I think most laypeople are not aware of how much it costs to have proper security systems installed on their tech devices. I reckon that many people think that anything more than an anti-virus software is excessive! If we  want more people to buy into the security culture, we have to spend more time to educate people about it!
User Rank: Ninja
1/29/2019 | 11:19:39 AM
weakest link
successful hackers no longer first look for software vulnerabilities. They're coming after your people. The reason is simple: It's cheaper, it's easier, and it works. That makes perfect sense. Exploit the weakest link: human beings.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.