We look at cyber security best practice – everything from defining it to the importance of training.
Cyber security is a business problem, not a technology one.
This misconception is the greatest challenge facing businesses across entire industries, according to Ina Wanca – founder of AI Governance, and former director of Cybercrime Prevention at the Citizens Crime Commission of NYC, where she pioneered and led the Predictive Prevention Lab.
“I think the problem that we have right now is that a lot of the CEOs of organisations – in general – believe cyber security is a technology problem,” said Wanca.
Definition
What businesses really need to understand is how to create a cyber security culture. This culture should focus on the employee, because the human understanding of cyber security is lacking. And, this lack of understanding is, by far, the biggest contributor to data breaches.
A challenge when entering the cyber security domain, explained Wanca, “is to expand our understanding of what really is cyber security. It’s not just a technological field, or a technology problem, it’s a managerial and operational problem.”
“In general, we need to expand the definition of cyber security, in order to attract people from more diverse backgrounds. This will help attract more women to the field, in particular, who don’t necessarily have the technical skills. They are more suited to some of the positions that require communication or behavioural sciences skills, which are useful in tackling some of the challenges in cyber security.”
Women only represent 20% of the global cyber security workforce, and their inclusion will be vital in improving cyber security best practice, in the face of growing cyber attacks and more stringent regulation.
Diversity
Again, cyber security is not a technology problem. The human factor – the insider threat – is the most important chink in the cyber security chain.
“The majority of the cyber attacks, (93%, looking at even last year in the United States), have occurred because of preventable human error,” said Wanca.
The vast majority of cyber attacks or data breaches occur because hackers are using deception to impersonate human behaviour. This means that technology itself cannot stop all of the cyber attacks.
Responding to this realisation, organisations need to create training that is going to help employees understand how their digital proficiency impacts the environment they work in. A lack of cyber security understanding – on an individual level – leads to greater operational risk.
“We need to have diversification in the thinking process, and that comes from bringing different types of people into the discussion,” said Wanca. “This will help address the challenges and problems that need to be solved in the cyber risk domain.”
This idea of diversification extends to the hiring process. Currently, when companies are looking to hire – for example – a cyber security analyst or manager, they are looking for people graduating with a computer science degree. Of course, this experience should be a requirement. However, the hiring process in cyber security should also extend to people who don’t necessarily have technical backgrounds. These are people who have graduated with a degree in humanities or behavioural science, or similar, as it adds another perspective on the issue of cyber security.
Organisations need to shift the idea of cyber security just being limited to knowledge. If this persists then companies are simply hiring the same engineers, and the continuing cyber security problem persists. “Engineers can’t clearly communicate what exactly and how exactly we need to prevent and stop the hackers,” explained Wanca.
“Hackers are people who are very smart and sophisticated, but they’re looking for easy ways to get in. And one way to do that is by using the oldest trick in the book, which is human perception.”
“Companies should bring a diverse group of people together, in order to tackle the persistent issues, put together proper programmes and training that can help companies to limit their cyber risk.”
Cyber security training
It is increasingly evident that the companies who spend a lot of money on technologies to monitor and protect their network traffic are not solving the issue. The focus needs to be on making sure that the employees can self-learn about cyber attacks, that they understand where are the risks and ways of thinking that expose them to online attacks.
“This is achieved with training, and with information sharing with cyber security best practice between departments as well,” said Wanca. “We also need to have people that think about the different types of cyber attacks, methodologies and motivations as well.”
Software is not the end-all solution – there are too many vulnerable devices and points of entry. Businesses have to marry technology with human training to be able to really help prevent the majority of the attacks, and then plan for mitigation.
Intelligent solutions can be used to create personalised training that can help individuals to self-learn on an ongoing basis.
Wanca pointed to a personalised training system she developed in partnership with Carnegie Mellon. Here, they wanted to create an exercise to help employees to stop phishing emails. The exercise worked like a human tutor – an online training, where the training itself could assess the knowledge of the employee and tailor the training depending on skillset, give feedback and help them through the process of learning.
“This is the type of training that organisations need,” said Wanca. “The ones that are really more personalised and can help the individuals more effectively to understand the issue. The majority of the training that exists right now is ‘one size fits all’.”
Responsibility
The responsibility for cyber security depends on the company. But, it all boils down to who is in charge of the budget – the c-suite executive. “In a large insurance company, for example, the CTO is the one that will propose spending the money, and create the resources necessary to deal with cyber security,” said Wanca.
“If it’s a $1 billion insurance company, the CTO will likely propose that to the CEO, and the board of directors, who then take the decision for a new department to be created. At CTO level or CIO level, you have a budget to start the process of creating a team that can improve the situational awareness around cyber, and when hiring a more diverse workforce.”
“Having said that, it all depends on the company and how the organisational structure works.”
Technology
Cyber security is a business problem, not a technology one. It has been made clear that training and the building of more diverse teams are more important in cyber security best practice than implementing a new, ‘shiny’ technology.
However, this is not to say technology should be overlooked – especially regarding prevention. Artificial intelligence, for example, is an umbrella technology that will disrupt the cyber security industry and how cyber security solutions are developed.
‘AI-led solutions’ are already being used by companies to detect abnormal network behaviour. At the same time, hackers are also using artificial intelligence. “There are, right now, artificial intelligence-based attacks,” said Wanca. “There are artificial intelligence phishing scams, meaning that hackers are using different machine learning skills to find out how key employees in companies act and communicate, so that they can mimic the culture and create the best way to deceive the employee of the company.”
“They also use machine learning to prioritise their targets. Cyber security attacks are not, anymore, random. They’re more personalised.”
The more companies use ‘artificial intelligence’, the more it will help help them detect these attacks, and how to help with intrusion detection.
Artificial intelligence, machine learning and automation solutions can be used for prevention. But, “organisations have to be smart about using it, and create better training that uses AI to create better prediction algorithms; that can, for example, detect what in the behaviour of the employee could be triggered, which could expose the employee or the person to attack.”
Moving forward, the use of AI will be important in understanding what future attacks will look like and how to prevent them.
This article originally appeared on Information-Age.