Employees are the root cause of all data breaches
By now I’m sure most everyone has heard about the Capital One breach. You have likely seen the comments surrounding the breach, what caused it, and how it could have or should have been prevented.
My question is: Haven’t we learned anything from all these breaches? While the question is rhetorical, it is certainly relevant.
Everyone should be asking themselves what can be learned when something like this happens, such as what caused it, how was it handled and how was it resolved. I have read many comments, blogs and news articles, each with varying opinions from “experts” and some with conflicting facts presented to support the author’s perspective.
Credit unions need to think about the root cause of all breaches so that they can approach cybersecurity programs from a different perspective. You may have noticed I said, “all breaches” and may now be thinking, “But there are many things that can cause a breach!”
I believe humans are the root cause of all breaches. Essentially, we either make a mistake or make an intentional decision to cause harm. Now there are subsets under these, such as we didn’t have all the information or we had bad information, but it still comes down to human action or inaction.
Writing vulnerable code, misconfiguring a firewall, giving too much access, keeping too much data for too long and taking on too much risk – these are all things that result from humanity’s involvement.
Will machine learning and artificial intelligence be the answer? I find it unlikely as we humans have created those as well. Sure, they can be a tool that we use to help find and, hopefully, reduce our mistakes, but ultimately, they cannot change the human condition itself.
So then, is all hope lost? Fear not, for that which makes us weak, also makes us strong. When we are more conscious about the cause of something, we can equip ourselves to fix it. One of the great things about being human is that we can choose to change what we don’t like, including ourselves, and it all starts with taking ownership of the problem.
I believe that most of us know, deep down, what must happen in order to reduce the quantity and severity of breaches. We must slow down and make better choices.
Don’t skip security testing because the setup took longer than expected. Move the deadline instead. Start allotting a contingency for deadlines in your projects. Security needs to be a requirement.
How much data do you keep around? Where? For how long? Who has access to the data, and do they really need that access? I wonder if Capital One really needed to have credit applications from 2005 located in the same place as the most recent ones.
There will likely never be a single product or service that will make you secure, so we need to focus on the basics of cybersecurity: people, process and technology (PPT). Confidentiality, integrity and availability (CIA) are important too, but we need the right PPT to achieve CIA.
People: Do employees have the right skills? Are they applying those skills consistently every day? Are you giving them the necessary resources, such as time and respect, to apply their skills? When they tell you something, do you believe them and place value on what they say? Are they overworked? Do you feel they have your best interest in mind? Do you have theirs in mind? If respect is an issue, then start with that. People are of the utmost importance and respect matters.
Process: Do you have one? Do you have a good one because there is a difference? Do you follow it consistently every time, or is it contingent on who wants it and how quickly? Your processes should be well thought out, make sense, be easy to follow and clearly documented.
Everyone should perform risk assessments. Are they effective and consistent or are they just theater for when the auditors come around? Are they well documented and audited for completeness and accuracy each year? Do they truly impact the decision-making process?
Technology: This one can be a double-edged sword as it can give a false sense of security. Technology should be carefully chosen for a defined purpose, well documented and well managed. Having 10 firewalls and 100 detection systems is quite useless if they are poorly configured, wrongly placed, inspecting the wrong things, or even worse, totally forgotten about. From a security perspective, I would rather have a few well managed, maintained and monitored systems than a large quantity of mismanaged and unmanaged ones.
Remember, the presence of security technology does not translate into the presence of security itself. It takes good people and processes to ensure that the technology is effective. Take ownership of your cybersecurity today and improve your PPT.