Seeking the Root Causes of Cyber Insecurity, Part III: People

Third in a series of articles about the underlying factors that affect security posture

This is the third in a series of articles that explore the root causes of cyber vulnerability. It’s based on a survey we conducted with a panel of industry experts. The survey asked why the world is on a path to spend a quarter of a trillion dollars defending digital assets that feature built-in risk exposure. Eighty-two percent of respondents rated inherent security problems as either a major or extremely serious factor affecting security. This article shares expert insights into how people contribute, either directly or indirectly, to innate security problems in digital technology.

People, a Foundational Risk Element

“We know that most breaches are the result of human error,” explained Brendan Diaz of HighSide. He added, “We also know that cybersecurity training by in large doesn’t work. Yet we keep trying to shove a square into a round hole.” For Diaz, a better approach would be to make cybersecurity painless and invisible to the end user. As he reminded us, “If a system can be used insecurely, about 90% of users will use it insecurely. If it is secure but extremely painful to use, they just won’t use it at all, as we see with shadow IT. It’s just human nature. Generally speaking, employees aren’t trying to put their company at risk when they use unsanctioned IT. They’re just trying to do their jobs better. They don’t even understand the risks. We as an industry can do better.”

“We know that most breaches are the result of human error,” explained Brendan Diaz of HighSide

SlashNext’s Jan Liband offered a slightly different perspective. He said, “Both software and hardware are built by people, and people make mistakes. There’s almost no amount of design planning and testing that can wring out every latent security vulnerability before it’s discovered and exploited by resourceful threat actors. Plus, most systems, by their very nature, have to communicate with other systems. As long as there is connectivity, there’s some degree of vulnerability.”

Authentication, a Weak Human/Machine Link

Experts who responded to the survey pointed out that the authentication process presents a poorly-designed security link between machines and human users. “80% of hacking-related breaches are still tied to passwords. It used to be 81%,” noted Shahrokh Shahidzadeh of Acceptto. His colleague, Fausto Oliveira, pointed out that risks arise from “baked in default usernames, passwords, service ports with inadequate defenses, privilege rights wrongly assigned to trivial services, lack of proper hardware identity and poor-to-no management of identity.”

“Security tools at every level fail to take into account the compounding effects of decades of data breaches and the proliferating scale of predatory commercial data practices,” remarked Emily Wilson of Terbium Labs. She praised new authentication technologies and advanced network defense systems as representing a measure of progress, but noted, “It’s difficult to comprehend, much less combat, a threat on the scale of the billions of users, employees, and executives who have had their most basic and most sensitive information exposed scores of times. All systems rely on users and on authentication data. When all users have already been compromised, and authentication practices for most systems is outdated at best, the most advanced defense systems will fall short against the baked in vulnerability of absolute and widespread exposure.”

“Security tools at every level fail to take into account the compounding effects of decades of data breaches and the proliferating scale of predatory commercial data practices,” remarked Emily Wilson of Terbium Labs

Randy Koch of ARM Insight also cited mishandling of personal data as a driver of built-in risk. He said, “Personally Identifiable Information (PII) is not being fully protected in today’s digital environment. There are technologies available today to fully protect the individual privacy of consumers today, but they are not being used.” Richard Henderson of Lastline was concerned about “default credentials not being forced to change when the device/product is initially set up” as a factor inhibiting secure human-to-machine interactions. “Even worse,” he added, were “hidden ‘secret’ creds by along with weak encryption suites offered in the name of backwards compatibility.”

The Organization of the IT Department

The IT organization is another human-centered apparatus that inadvertently injects insecurity into the technologies it’s tasked with protecting. David Jemmett of Cerberus Sentinel put the issue in perspective, commenting, “We’ve read of the code in the router that delivered information directly back to China. Also, most engineers have in recent years been vertical to hardware, a specific OS, VMware and networking. Therefore, they do not have the holistic view of the entire environment.” He was concerned that “engineers seem to ignore open ports, vulnerability scanning and hardening of the asset.” He urged the creation of a culture that focused, “from the top down of educating the work force in proper cyber defense and compliance.”

Chelsea Zfaz of Be Strategic Solutions similarly noted the negative impact of a lack of adequate training for both cyber literate and cyber illiterate personnel. She said this is “a major cause for cyber vulnerabilities,” adding, “moreover, a lack of an awareness of a business’s level of cybersecurity—preparedness—in terms of software, hardware and operational response—is also a major cause for cybersecurity vulnerabilities.”

Survey respondents shared concerns about security leadership’s misplaced priorities. Jonathan Deveaux of Comforte, for example, related that “in many cases, leaders in organizations are spending budgets on security that doesn’t actually help reduce their exposure. Specifically, with information security, it seems that much of the money is going towards perimeter defenses, intrusion detection systems, identify/user access management systems, and other cybertech that says it has ‘AI’ in it.” Instead, he suggested, “If focus shifted to data-centric security, while continuing to ensure the other security layers are still secured, we would hear less data breach or exposure incidents.”

Jonathan Deveaux of Comforte, for example, related that “in many cases, leaders in organizations are spending budgets on security that doesn’t actually help reduce their exposure.

“We know there is no silver bullet to information security and that that you never become ‘secure’, you increase your maturity through comprehensive analysis and ensuring that all the estate has the same rigor applied, be it external facing, internal, legacy or otherwise,” said Trustwave’s Edward Williams. He then suggested “ensuring the basics (passwords, patching and policy) are covered across the estate is an excellent first step into gaining a level of cyber maturity.” He admitted, though, that this can be difficult to achieve in large organizations.

As the experts reveal, people tend to be a root cause of cyber insecurity. It’s not a hard problem to spot, but it does appear to be quite challenging to solve. Technology exists for human benefit, for the most part, so human users will always be part of the security story. Any serious effort to mitigate cyber risks., however, needs to address the vulnerabilities people introduce into the technology environment.  Stay tuned for more insights into the root causes of cybersecurity.