Transforming employees from your weakest link into intrusion specialists

It’s widely accepted within the cyber security industry that employees are the weakest link in a business’s defense against hackers and cyber-attacks.

Having all the software in the world won’t solve the problems of insider threats and human error but, whilst the focus used to be primarily centred on technology, more and more companies are now paying attention to the human element.

One company facilitating this movement is security behaviour management firm PhishMe. I got the chance to speak to Jim Hansen, PhishMe’s chief operating officer, at InfoSecurity 2016 about the merits of human intelligence in the current threat landscape.

In the past, “the balance has been massively on the technology side,” Jim said. “Technology is important in the back end, no doubt about it, but my argument is that for the past 20 years we’ve totally neglected people in this business.” But it’s not awareness that is the issue, as Jim is quick to point out: “my mother is aware of phishing attacks, but she still clicks on links. She’s aware, but it’s behaviour that matters.”

So, how do you change the behaviour of your employees? Well, running phishing exercises, as PhishMe is well known for, is “just the starting point. “What we really want to do, is be able to make every single person in a customer’s organisation an intrusion detection sensor, because we are naturally really good at spotting stuff that sounds weird, looks weird, seems dodgy.” Jim used the analogy of walking along a dark road at night and two people start following you. That’s something we would pick up on as being strange and PhishMe is aiming to “extend that analogy into IT security.”

By enabling employees to quickly and easily report anything that seems unusual, businesses can catch things that slip through the net whilst also generating real-time threat intelligence. As Jim explained, “the data you’re getting right then and there, it’s real, it got through whatever you’re using on the front end and now you’re getting told about it. That power is amazing.”

But it doesn’t have to stop there: “The other piece of it is, as you work with your people, as you get them better conditioned to respond and they start telling you things, you build this magical idea of reputation.” The extra value comes when employees are motivated to report as accurately as possible, rather than just whenever they remember. This gamification element helps to build good behaviour, helping employees to understand “not only the problem itself, but the relative value of that data.”

This approach also goes some way to solving the skills gap in the industry at the moment, not by suddenly turning everyone into security experts but by upping the overall level so that everyone can play their part: “I’m not going to make every person in the company some cyber ninja warrior, but if I can at least get them to exercise some common sense and use the ‘see something say something’ model, then they can actually achieve something.”

Rather than having to hire extra senior security professionals, companies can “make their jobs easier and make them more efficient by working on the skills gap that the rest of us have.”

Of course, a balance still needs to be struck. The point is not to overdo the human element – businesses still need to do “as good a job as you can” with the technology available - but to make sure it is not ignored or neglected. That way, employees will be empower to help, rather than just ignore.

So, will your security be perfect if you spend more time focusing on the human element? Of course it won’t. But that added level of protection might just be enough to stop a small-scale infection from turning into a large-scale breach.

Image credit: Shutterstock/Tashatuvango