Incoming: The Weakest Link in Security Chain Is People, Not Technology

In the information security sector, the same problems and misconceptions about cybersecurity crop up again and again. Specifically, federal government leaders believe that security is purely a technology problem. But that is not the case. Cybersecurity vulnerabilities in both industry and government are regularly the result of human behavior and not solely an information technology or system error. And this human threat often is not malicious. So how are government officials to manage this type of insider risk?

One straightforward, cost-effective solution is to address the human factors that lead to cyber vulnerabilities. People make mistakes, subconsciously or otherwise, and to minimize insider risk, we must implement approaches among all users to combat security threats. Common examples of cyber weakness caused by human error include leaving laptops in unlocked cars, clicking on phishing emails, using weak passwords and losing credentials. All are easily preventable when the correct protocols and processes are implemented.

According to a recent CompTIA report, the root cause of 52 percent of all security breaches is human error, most commonly the failure to follow general policies and procedures, along with carelessness. Further, nearly one-third of more than 450 top security professionals polled in the 2015 Black Hat Attendee Survey agree that “end users who violate security policy and are easily fooled by social engineering attacks” are the weakest links in the information technology security chain of defense. Leaders must work with their operations counterparts to take a firm stance on mitigating such vulnerabilities.

To change the security culture within their agencies, both parties must recognize that while technology plays a central role in defending against hacking efforts, it is not a panacea. No single solution exists. Rather, balancing technology with rigorous user education and training is a significantly more effective strategic defense against cyber attacks.

The root problem in addressing human security vulnerabilities is that users often do not understand the larger implications of their actions. In many commercial and government enterprises, little effort is put into reinforcing the issue of security as everyone’s problem, from the server room to the boardroom. And with government agencies, human errors are a grave concern. In business, a breach can be costly, and its effects often are measured in dollars or brand value. A government breach, however, can have far more serious implications. Consider the Office of Personnel Management breach discovered in 2015 and how we may never know the full extent of the damage.

At the same time, some parts of the military have succeeded in building a culture of cyberthreat awareness. Military organizations have dedicated significant amounts of time and effort to train and exercise on various platforms to ensure that warfighters know how to operate information systems with precision. For example, Cyber Flag, a joint cyber training exercise, fuses offense and defense skills across the full spectrum of military operations. This exercise shows how to operationalize cyberspace procedures successfully by integrating them from the outset into overall planning and execution.

The Department of Defense Cyber Awareness Challenge Training program adopted by the Army also ensures that human factors in cyber risk are minimized. This training initiative seeks to guarantee that all personnel who access Army networks understand the risks involved as well as effective methods for safeguarding their systems.

These types of activities are necessary for networks that are critical to national security—and for networks connected to other downstream resources. Constantly shifting threats and increasingly sophisticated attacks also call for more budget flexibility when addressing these problems. If information technology leaders in government agencies are looking for a model for success, they should recognize the example set by the military. Those who wish to exploit government networks to do harm can be stopped when organizations take the necessary steps to establish cultural awareness of the harmful effects of negligent behavior.

Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director of cyberspace operations in the Air Force’s Office of Information Dominance and Chief Information Officer, is vice president of Hewlett Packard Enterprise’s Enterprise Security Solutions Group for HPE Enterprise Services, U.S. Public Sector. The views expressed here are his own.