“I’m starting with the man in the mirror, I’m asking him to change his ways. And no message could have been any clearer, if you wanna make the world a better place, take a look at yourself, and then make a change.”
Firewalls. Encryption algorithms. Secure Cloud architectures. Card Scanners. CCTV cameras. Companies spend millions of dollars on security controls and mechanisms. Some in the form of hardware, some in the form of software. Hours upon hours are spent carefully configuring and testing all of the new bells and whistles. We build up this seemingly impenetrable wall, a fortress that we put all of our confidence into.
And then, along comes the user.
What once was the most secure fortress in the company’s existence, the result of millions of dollars and countless hours spent, is now brought crashing down in a matter of seconds by a single, well-crafted phishing email.
The “Weakest Link” isn’t a faulty piece of hardware or a misconfiguration. It’s me. It’s you. It’s the human in the mix
Now before I offend anybody…
Allow me to elaborate on what I mean. I’ve come to learn that making this statement can cause more harm than good. It can and probably has been used to put all of the blame on the end user, which I cannot say I totally agree with. Not only is it counterproductive to developing trust and understanding amongst users, but its also just downright unfair. From the moment we were born, we only know what has been taught(revealed) to us. If I, as a user, have not been taught or informed on secure practices, why on earth would you just expect me to know what to do or what to look out for? You don’t know what you don’t know.
The Human Perimeter
I believe that we as humans are intrinsically curious, and (most of us) mean well. We try to be helpful when we can, and if something is more convenient, we tend to draw towards it. These are the traits that attackers count on. It’s the whole reason why attackers may opt to skip your billion-dollar firewall; they instead are hacking you.
When an employee clicks a suspicious link in an email, they aren’t trying to sabotage the company. They are simply just trying to do their job. When your grandma or Uncle Willy gives out their bank information, they really did believe they won the lottery. When a user sideloads an unverified app, they aren’t looking for a backdoor. They’re just looking for a feature.
Because let’s be honest, why did it take Apple so long to allow emulators on iPhones?? What if I wanted to someone not named Joseph wanted to play various Pokémon Emerald Rom hacks on their phone whenever they were out and about? Was that too much to ask?
People Aren’t Software
“Patching” people isn’t the same as rolling out updates to some software application. You can push a security patch to a thousand devices simultaneously. Millions of phones can be updated over night while we sleep. The one thing we can’t automate, is a change in human behavior. The things that we can do: Be thorough, consistent, empathetic, and patient. Security awareness isn’t a one-time class that you go to and then you’re set for life. Its continuous, ever evolving, and ever imperative. Bad habits have to be unlearned, natural habits have to be controlled, and some new habits – such as maintaining a “healthy” level of skepticism – need to be learned.
Besides, that’s part of the beauty in being human: Contrary to computers which can be deterministic, we as humans are beautifully and wonderfully complex. I mean, could you imagine how horrific it would be if we had some sort of chip inside of us that remote updates could be pushed to whenever and wherever with no regard to human agency?
Crazy. Right?
Everyone Has a Responsibility
If we want to make the digital world a “better place”, we have to stop assuming that security is someone else’s problem. Everyone has a responsibility to protect themselves I agree. However, those who are stronger ought to be a covering for the weak, not a source of shame. Have you ever clicked an email you weren’t supposed to? I’ll do you one better: Have you ever been deceived? Tricked? Lied to? Taken advantage of? Do you remember the embarrassment you felt? That feeling wasn’t exclusive to you, it’s universal.
Security starts with the person in the mirror. For the user, it starts by taking a look at our own habits:
- When you get an email, before you do anything, do you verify the email address that it was sent from?
- Do you question the “urgent” requests be it an email, text message or even a phone call?
- Do you check in with your bank and financial institution when you get an alert related to money?
- Are we keeping our personal and professional digital hygiene in check? Strong passwords, updated devices, separation of work and personal life?
And for the professional:
- What am I doing to make the digital world a safer place? At work? In my home or community?
- Am I working with users, as opposed to shaming or working against them?
- Knowing that humans are the most targeted attack vector, what am I doing to make sure that they’re protected, and as a result, the rest of the system?
If you want to secure the enterprise, if you want to secure the community, you have to start by securing the individual. It’s time to stop looking for a technical miracle, because that’s exactly what it would be if suddenly everyone in the world was a perfect security expert with no technical flaws. Instead, how about we start looking at the decisions we make every single day.
Forge Shield Tech 