Isaac Kohen— February 18, 2020
A recurring theme I have found in security industry discussions since the start 2020 is the “human element,” of cybersecurity. a topic that I highly value. Information security professionals often interpret the human component of IT as “human fallibility,” the weakest link in a company’s data security apparatus. You can’t blame them. In many cases, cybersecurity incidents are enabled by human error, malicious intent, or ignorance. In fact, according to a study by IBM, human error is the leading cause of 95% of cybersecurity breaches. Therefore, it makes sense that the industry is increasingly investing in technologies, strategies, and standards that minimize these human risks. It’s one of the primary reasons that technologies offering behavior monitoring, insider threat detection, and data loss prevention tools are designed to reduce threats from both malicious and accidental human actors.
However, this isn’t a diatribe about the obvious predicament facing today’s data security landscape. Instead, I’ll look from the other side of the human equation: the users we are supposed to guard. Humans aren’t just resources that you can force to comply with security best practices. We have feelings, concerns, and needs. An effective security strategy will need to address these human elements.
For example, if you implement a strong password security policy without addressing the human tendency to look for convenience, people will find a way to bypass the rule. They will either write it down in plain text, save it on their browser, or start repeating the same passwords on unsanctioned/personal sites. You will need to provide them with an efficient option such as SSO, key vault, or something else to manage their passwords easily.
Similarly, let’s consider workplace monitoring. Many companies use these services to improve productivity and to reduce insider threats and data leaks. However, if you ignore the employees’ right to privacy, you will risk legal ramifications, not to mention cultural rifts, loss of trust, and many other issues that will outweigh any security benefits you can achieve. In other words, you need to adopt solutions and policies that are effective at delivering not just a functional security but enables inclusion. Let’s take a look at how this is accomplished.
In recent years, data privacy has become the topic of conversation among cybersecurity professionals because of the introduction of GDPR, CCPA, and other similar laws. On the one hand, you need to protect your customers’ data, your intellectual property, and business secrets from external or insider threats. At the same time, you have an obligation to uphold your employees’ privacy. The solution is to use autonomous systems, such as employee monitoring, UEBA, and DLP systems, to implement endpoint security but do so without inadvertently capturing employees’ personal data and exposing yourself to privacy violations. For example, suspend monitoring and keystrokes logging when users visit their bank’s website or access their personal email account, use anonymization or smart blackout features to redact PII/PFI/PHI or other private data. This can be a bit tricky and requires modern solutions that have such capabilities.