When we think of cybersecurity, we typically think of various forms of digital technology – apps, malware, and so on. However, at bottom, cybersecurity comes down to people. It’s humans who create and direct threats. It’s humans who are the biggest vulnerabilities and need to be protected.
Cybercrime Magazine’s recent talks with Jim Zuffoletti, co-founder of SafeGuard Cyber, and Christopher Porter, CISO at Fannie Mae have explored the human element of cybersecurity. They discussed how humans affect their company’s digital security, and the risks that come with the tools they use (particularly with unsanctioned apps). They also discussed how enterprises can close their cybersecurity gaps, and protect humans from digital risk vectors, as well as from themselves.
Here are some of the highlights of these interviews:
What Humans Represent in Cybersecurity
In the interview, Jim explains the complex relationship of humans to their digital environment:
“The human is the last mile of communication, and is the great vulnerability. But at the same time, the human is the essential element. And so if you do not protect the human the way that they want to work, the way they want to communicate, any security scheme will ultimately fail.”
This is proven by the current focus of various industries with security awareness training, and teaching companies the dos and don’ts in terms of workplace security. However, what companies often find difficult to do is to secure the tools that these humans use. One of the main reasons being that humans have a habit of taking the “desired path” in almost everything they do.
“Humans will inherently always want to do things in the most efficient way. And so you can't protect the human on a platform like a social media channel or a collaboration platform by telling them that they have to work through a particular interface or a particular device.”
Even in a professional environment, humans will always go with their preferences, the applications and the devices they want to use in conducting business. And if your security protocols and solutions get in the way of that, more often than not, you will see failure.
Guide: Learn how you can secure collaboration tools and use them safely
The Risks that Come with Digital Communications
Jim also explained how the communications applications that companies utilize end up creating danger around the human element of cybersecurity.
For example, social media is currently where brands boost their image and expand their market, but it’s also a source of threats. Executives and employees alike need to take great care with what they post in social media, lest they risk digital threats such as social engineering, identity theft and account takeovers, as well as compliance and regulatory burdens.
“Recently, one of the vaccine CEOs was impersonated on social media. That's something that's continuing to be a risk that organizations face."
And it’s not just social media. Mobile chat applications and tools can be used as backdoors by cybercriminals, as well. Jim believes CISOs and their security teams should pay great attention to securing mobile chat and communication apps because of the threat surface they expand:
“The reason they should pay attention to [securing mobile chat apps] is if the richest person in the world, Jeff Bezos, can be hacked via his messages, via an altered file that comes in via WhatsApp, we are all vulnerable. As individuals, all humans are vulnerable via those kinds of channels.”
Communication Tools = Risk Vectors
Christopher, CISO at Fannie Mae, echoed many of Jim's themes in his chat with Cybercrime magazine. He admits most CISOs look at current communication apps and tools as risk vectors, especially when it comes to data loss and data leakage.
“Certainly, they can be used as a vector for attacks that come into the organization. But what I've seen, at least in my experience, as well as what others have, is that these tools fit multiple categories.”
Case in point: LinkedIn has a ton of capabilities, depending on how a company uses it. Recruiters, managers, and human resource personnel can use it professionally to get that outreach to the right markets and pull in the right people. Of course, that comes with its own risks, what with LinkedIn profiles being hacked and their data sold to the highest bidder in the deep, dark web.
Github is also a valid example. As a collaboration tool, various businesses pull codes and data from public Github repositories into a different one they own. However, what you don’t want is your own data getting pulled from your Github repository. Moreover, getting the right technology that can go granular with that low level of use can be hard.
“The technology isn't super mature around this. You get a lot of friction, even more friction [than usual].”
Defense Layers and Risk Appetites
When asked about unsanctioned apps, Chris points out how people tend to leverage them “just to get the job done,” unaware of the risks they are exposing themselves (and their company) to.
“The big problem is, in security, you always talk about vulnerability management; it's like Whack-a-Mole. That's the same thing with all of these unsanctioned apps out there, it is absolutely Whack-a-Mole.”
This is why, Chris further states, there is a need for different layers of defense. One would be using proxy technologies to try and filter down the risks to the human element of cybersecurity. Another would be to employ technologies that protect data “wherever it goes.” Problem is, such solutions can be operationally harder across the organization.
As an attempt to address that issue, companies often have different ways of managing their mobile devices. Some prefer providing company devices to their employees, which usually comes with strict mobile device management and operation protocols. Others go with a BYOD approach, which opens up the opportunity for users to insert unsanctioned apps in their work process. In any case, both approaches have pros and cons that organizations need to consider before implementing them.
“I think it's something that every company has to look at when it comes to their risk appetite; what they're willing to have [versus] what they already have, from a risk perspective.”
See the interview here for more insights from Chris and his perspective on cybersecurity as a long-time CISO for Fannie Mae: