There are plenty of IT security horror stories where the call is coming from inside the house. In fact, about 88% of data breaches are caused by employee mistakes, according to a Stanford/Tessian study.
But it’s probably wrong—and unfair—to view people as your weakest link, according to Chris Morales, chief information security officer for Netenrich.
“That’s false. People are your most valuable resource,” said Morales during a breakout session at ChannelCon 2022, Importance of People and Processes in Cybersecurity. To help overcome that opinion, Morales detailed three ways to get people involved in security compliance without blaming them for mistakes. Here’s a closer look at each:
1. Look at Behavior First
Building a successful process includes effective security awareness training and standardizing processes, but the first step is assessing the risks and finding out why people are using risky behavior. Using a remote task automation and configuration management program can be a helpful tool, for example. It can also be a red flag for a security team.
In the past, security experts would identify a risk and cut it off from use, but Morales said making rules doesn’t cut it. “I don’t like rules,” he said. “I got into cybersecurity because I don’t like rules.”
Instead of applying a blanket restriction, Morales recommends figuring out why people are using these tools before you start telling people why not. Help people understand from a technical point of view, in terms they can understand. Develop a file transfer protocol (FTP) that works within your security boundaries. “You don’t just go to somebody saying not to do it. The question is ‘Why are you doing it?’ and ‘What are you trying to solve?’” he said.
What do you do when someone says they can’t do the job without the proper tools? “That’s the job,” Morales said. “The answer is you have to sit down and figure that out. You have to come up with a better way.”
Organizations can strengthen their security posture by creating a security-first culture. Most often, he said, that answer has something to do with zero trust.
“It's pretty easy for me to look at that and say, why are you doing that? Is there another way to do this? Can we turn that FTP off?” he said. “These are behaviors and you can collect these before it’s a problem.”
2. Offer Situational Awareness Reports
Gather information about your organization before the enemy gains similar information—that’s the idea behind situational awareness, developed in World War I. “The idea is to be proactive and say, ‘Give me a state of everything that's happening right now’ on a regular basis,” Morales said.
You can offer a situational awareness report to executives and department heads so they can better understand current threats. If your finance team fields a good chunk of email compromise attacks, let them know—but be careful not to flood them with too much unfiltered data. Find the right amount of situational awareness to get people to understand the information without being overwhelmed.
“If somebody is using Office 365 in an insecure manner and they're storing data, I make them aware of the type of attacks going on against them,” Morales said. “It’s constantly educating and informing. ‘Here's what we're up against.’”
3. Track Behaviors Over Metrics
How do you know if behavior modification is working? Morales said the ultimate outcome is to measure behavior outcomes rather than user activity.
“I can look and say, ‘This person has followed a good secure, reasonable process over the last three months. That's a positive.’ And I can show how each department works and I can focus on that,” he said. Create user identity profiles to track behavior and help identify safe and risky moves. “I want to score and reward people for doing a good job, not scold them for doing a bad job.”
The trending solution in security is shifting away from compliance-based process to understanding human behavior and culture, Morales said. “Everything we do is behavior-based as a security operations team.”
Get access to critical cybersecurity intelligence to keep your business safe.
Learn more about The CompTIA ISAO