Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Adam Marre
Adam Marre
Connect Directly
E-Mail vvv

Creating a Security Culture & Solving the Human Problem

People are the biggest weakness to security breaches; people can also be your organization's biggest defense.

Through nearly a dozen years of experience at the FBI and now at Qualtrics, I've seen that many of the most successful hackers no longer first look for software vulnerabilities. They're coming after your people. The reason is simple: It's cheaper, it's easier, and it works.

Massive telecom data breach? Unprotected vendor server. Prominent media company? Stolen credentials. Website with compromising emails? Former contractor. All of these major breaches resulted from mistakes of individuals. The threat vector is you.

Despite years of education, millions of pages of policy, and pervasive annual mandatory trainings, 60% of security professionals rank employee carelessness or negligence as a top threat, up from 44% in 2015, according to the EY Global Information Security Survey. Fully 66% of all cyber insurance claims stemmed from employee negligence or malfeasance, according to a 2017 report from Willis Towers Watson.

But although we keep having human breaches, we haven't changed the behaviors that lead to these breaches. On average, 4% of targets in a phishing campaign will click, according to Verizon's 2018 Data Breach Report. Furthermore, people who have clicked once are more likely to click again.

Why? Because most modern workers think they know how to avoid security threats. We no longer have an awareness problem: Workers have heard the basics about phishing. We have a false confidence problem. Knowing about security threats is only half the battle. Employees also have to know what actions to take.

Awareness vs. Response
Qualtrics conducted a study of roughly 1,000 US adults to test two related, but significantly different points: awareness of phishing threats and appropriate responses to phishing threats. The gap was striking.

We found that more than 70% of US adults knew what phishing was, and more than half said they knew how to avoid becoming a victim.

Appropriate Response
But when we asked harder questions from the same sample, we saw far less confidence. Only 10% of respondents knew the right way to determine if a link is legitimate. Equally concerning, one in three US adults incorrectly said that only clicking on links from people they know would protect them from falling victim to a phishing attack.

You are still the target, and the problem is getting worse because of the human gap. People develop false confidence when they’re aware of a problem but don’t know how to properly address it. Because security experts are still learning how to address human security vulnerabilities, even the best can substitute mere awareness for preparation.

Filling the Confidence Gaps with Elbow Grease
A lot of people purchase online training videos and throw them at the problem, or check the box for cybersecurity training by having their IT personnel provide basic reminders in training once a year. This kind of attitude can be even more dangerous than letting cybersecurity slip from top-of-mind. When companies focus on merely checking that box, they can lull themselves into a false sense of security, thinking their annual lecture or testing has prepared employees for future attacks.

If companies put as much thought, planning, and execution into helping their employees avoid cyber threats as they did creating firewalls and preventing software breaches, they would increase the security of their organization. But that seems like a lot of hard work for already overburdened security professionals. This could mean increasing training or implementing other processes for sharing information.

I have investigated dozens of cases where victims didn't click a link or download any file, yet they still were tricked by a phishing email and lost millions. Awareness training and tests are an essential part of securing an organization. However, the end goal should be to create a security culture, not to just make people more knowledgeable. Culture implies intrinsically motivated action, which is what companies need to protect themselves.

Start from the Top
The most effective training program in the world will have a hard time gaining traction among employees if they don’t see those precautions and practices being demonstrated by leadership. Without an example from the top, the environment for a security-minded culture to develop won't exist.

This culture is crucial for the same reason public health officials stress the necessity of herd immunity via vaccinations: If the bulk of a population is protected against a threat, that population has a much lower risk of being damaged by that threat. Exemplifying secure practices can help executives protect their workforce against breaches.

Leading the charge doesn’t have to take a lot of time or effort. It could be as simple as executives always wearing the security badges they expect employees to carry, or encouraging employee discussion during cybersecurity training.

Follow Up
Training or a phishing test is a great start, but what happens after that? Without following up on training, employees can forget crucial security measures, and the subject can drift into perceived irrelevance until the next year’s exercise.

Keep the message current by reiterating it throughout the year. Maybe that means instead of having one big training per year, you break it down into smaller quarterly training sessions. Maybe it’s having regular testing or routinely having conversations about cybersecurity. A combination of initiatives — an occasional newsletter with tips, regular training, etc. — can help foster a secure culture by imparting the severity of the problem and the necessity of every employee’s efforts to solve it.

Hardening devices and patching software are only part of the battle to secure your enterprise. Today, you must test and train employees and help them stay accountable for security practices. Each individual is a major threat vector to your organization, so you must create a culture of security and frequently reiterate the message. A security mindset in every employee is the only thing that will close the human security gap and the only way to truly protect your company.

Related Content:

Adam Marrè, CISSP, GCIA, GCIH, is a Qualtrics information security operations leader and former FBI cyber special agent. Adam has more than 12 years experience leading large-scale computer intrusion investigations and consulting as a cybercrime ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
2/13/2019 | 1:48:17 AM
Hacking people, not systems
There have been several similar cases in different security lapses incidences. Most of them involve individuals who were negligent in their line of work though their expertise was security. Some of them were too engaged in other affairs to keep up with stringent security measures whilst others were basically performing data breaches on purpose. 
User Rank: Apprentice
2/13/2019 | 1:05:00 AM
People can't do what they don't know
I think most laypeople are not aware of how much it costs to have proper security systems installed on their tech devices. I reckon that many people think that anything more than an anti-virus software is excessive! If we  want more people to buy into the security culture, we have to spend more time to educate people about it!
User Rank: Ninja
1/29/2019 | 11:19:39 AM
weakest link
successful hackers no longer first look for software vulnerabilities. They're coming after your people. The reason is simple: It's cheaper, it's easier, and it works. That makes perfect sense. Exploit the weakest link: human beings.
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-22
Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with Firmware versions Fritz!OS 6.80 and 6.83 allows physically proximate attackers to view slices of previously transmitted packets or portions of memory via via unspecified vectors.
PUBLISHED: 2019-10-22
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the...
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin ...
PUBLISHED: 2019-10-22
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusi...