If you really want to keep your IT network secure, get inside your employees’ heads, not their computers.
That advice was doled out by a security expert at a recent conference in the UK. The expert, formerly employed by the British government, said CISOs should consider hiring psychologists and behavioural experts in their bid to manage IT threats.
“This isn’t just a technical issue. A huge amount of our problems relate to human issues,” he said. “Get someone who knows about behaviouralism and evolutionary psychologists.”
Lance Spitzner didn’t give out any referrals for behavioural psychologists during his own presentation at the SecTOR security conference in Toronto. But he did offer the same advice as his British counterpart: change your organization’s behaviour, not just its security software.
“In so many cases, (behaviour) has truly become the weakest link,” said Spitzner, a certified instructor at the Maryland-based SANS Institute.
Before getting into cyber security, Spitzner was in the U.S. army. (“I’m a history major who used to drive tanks,” he told the SecTOR crowd.) Best known today as the guy who invented the honeynet to trap hackers, he’s also a globetrotting speaker and consultant for clients like the Pentagon. At various points in his career catching computer-based bad guys, Spitzner noticed a common theme.
“I kept seeing how, in many cases, it wasn’t a technical issue. It was a human issue,” he said in Toronto.
Spitzner went on to explain how focusing on “human issues” can improve IT security.
Metrics: Spitzner measures two main ones: compliance and behaviour. Measure them in way that’s relevant (something your organization cares about), actionable, automated and repeatable.
Compliance vs. behaviour: The compliance metric ticks off boxes to show you’ve deployed all parts of your security strategy. The behavioural metric asks, “Are you actually changing behaviour?”
Fake tests have real consequences: While fake phishing emails are an easy, affordable way to measure staff behaviour, consider potential consequences. “I know of one (fake phishing) email notifying (an employee) they won the lottery and they submitted their letter of resignation,” Spitzner said.
The difference between people and computers: “… is that people have emotions,” Spitzner said. Emphasize that you’re out to help people keep their files and devices safe, not embarrass them or trip them up. Otherwise they’ll start to resent and mistrust you, he warned.
No name, no shame: Tell managers how many workers fail security tests or violate policies but never name anyone publicly. Spitzner recalled presenting a list of failed passwords to a client’s board of directors: “One of the board of directors was on that list. What do you think his password was? The name of the secretary he was having an affair with.” (Someone who repeatedly violates security should be identified to managers, he added, but not to coworkers.)
Technical tools help: Scan networks and devices for software updates and viruses. Use a URL shortener to track how many staff clicked on your fake phishing or photo link.
Physical security still matters: Some behaviour can’t be tracked with IT tools. Walk through the parking lot to see how many employees leave their mobile device in their vehicle. Test whether people without ID badges or fobs can enter the office.
It’s personal: Motivation affects behaviour. By explaining to employees that workplace security practices also help keep their own personal devices and networks safe outside the office, you answer the basic human question, “What’s in it for me?” said Spitzner.