Why The Real Key To Cybersecurity Is Psychology
By Max Emelianov , CEO HostForWeb
Building secure infrastructure is all well and good - but if you really want to keep your data safe, the best way is with an understanding of how people think.
It’s a truth as old as time itself. No matter how formidable your defenses, no matter how thick your walls or how deep your moat, your weakest cybersecurity link will always be people. They’re the most effective backdoor into a secure system, the leading cause of data leaks, and ultimately the biggest threat to your infrastructure.
And addressing that threat requires something more than mitigation tools and techniques; more than security systems.
It requires that you understand psychology. You need to know how your employees think, but more importantly, you also need to know how your attackers think. Equipped with that understanding, you’ll know exactly what needs to be done to proactively address and mitigate potential data leaks and cyberattacks.
Keeping Your People Secure
Traditionally, people have something of an adversarial relationship with cybersecurity. Although consumers are far more security-conscious than they used to be, people still prize convenience over security. They’re interested in doing their jobs - in being as efficient as possible without worrying about whether or not they’re putting corporate data at risk.
And the truth is, they usually are.
There are plenty of reasons for such behavior. They might be ignorant about the risks of their behavior - they might not realize exactly how they’re putting data at risk. Maybe they see security as an IT problem rather than something they necessarily need to care about, or maybe they simply aren’t being given the proper knowledge.
“The role that insiders play in the vulnerability of all sizes of corporations is massive and growing,” writes Marc van Zadelhoff of The Harvard Business Review. “Understanding the users who hold the potential for the greatest damage is critical. Addressing the security risks that these people represent, and the critical assets they access should be a priority. In particular, monitor IT admins, top executives, key vendors, and at-risk employees with greater vigilance.”
By understanding how your people think and act - and why - you can better prepare yourself to reshape your security posture. When doing so, there are a few things you need to consider.
- What assets you’re trying to protect, and who has access to them.
- What security tools you already have in place, and how they impact the experience of your end users.
- How often you engage in cybersecurity training with your people, and what that training involves.
- Whether or not you work with an external agency to perform test phishing campaigns and social engineering attacks.
- The prevalence of personal devices in your workplace such as tablets, smartphones, and wearable technology.
- The password policies you’ve put in place, and how well your employees adhere to them.
- The general attitude towards cybersecurity within your organization. Do your staff feel engaged with and responsible for protecting corporate data, or do they seem to believe it’s your IT department’s problem?
“By understanding what drives people’s behavior, we can come up with ideas for how to change it,” reads a piece on We Forum. “For example, the reason a person does not use a password on their device may be that they do not know the risk they are taking. In this case, we need to improve the user’s capability by teaching them about security risks. By contrast, the reason could be that the device is hard to interact with and it takes up a lot of time to set up a password.”
Study your employees. Look at how they work, and talk to them about their needs and requirements. Endeavor to understand them, and use that understanding to push them to be better at cybersecurity.
Knowing Your Enemies
Once you understand what your most important assets are, you’ll be able to figure out why someone would target those assets.
And by understanding that, you can better formulate a plan to protect them. If you work in healthcare, for example, they might want to steal patient data to sell on the black market or lock it down with ransomware to get some money out of you. If your business has recently made some unpopular decisions, targeted cyberattacks might instead be politically-motivated.
Generally speaking, the motivation behind any given cyberattack is one or more of the following:
To Make Money
The simplest motivation. A criminal who targets a business in an effort to make money may be attempting to facilitate identity theft. They could also be trying to make off with proprietary data such as product blueprints or customer lists.
They might be part of a criminal organization that’s trying to sell the data to the highest bidder, or they may simply be trying to blackmail a business by locking down the data with ransomware (or threatening them with the release of that data).
This motivation is easiest to predict and guard against - simply understand what data has the most monetary value to an attacker (and what data has the most monetary value to yourself), and lock that data down.
To Make a Statement
Has your business done anything controversial lately? Best be on your guard - you might well be the target of politically or socially motivated ‘hacktivists.’ These criminals might simply want to blacken your eyes a bit to teach you a lesson, but more often they’re looking to bring about some form of change - perhaps by releasing damaging information such as what we saw with the Panama Papers attack.
To Create Chaos
You’ve likely heard of Lizard Squad by now - the hacker group that targeted companies like Sony and Microsoft over the Christmas holiday, shutting down video game networks such as Xbox Live and the PlayStation Network. This group didn’t want any money for what they did, nor did they make any demands.
Instead, they simply wanted notoriety.
Unfortunately, attackers of this type are the hardest to predict, and the hardest to protect yourself from. They don’t want you to give them money, or to respond to their attacks. They simply want to watch the world burn.
Out of Frustration
A disillusioned IT professional. A former worker, angry about being laid off. A developer who has simply stopped caring about their organization. The one thing these employees all have in common is anger - and the capacity to turn that anger against their company and cause as much damage as possible.
Ideally, you want to address this problem by treating your workers well, and ensuring they don’t have reason to become disillusioned. But in some cases, this might not be entirely possible. In such situations, it’s important that you’re able to recognize the signs that someone might be malicious - and take action to prevent them from causing too much damage.
Good cybersecurity is about more than technology alone. It’s about understanding both your own people and the people targeting you. Only by taking a psychological approach can you truly keep your people, systems, and data safe from those who would do them harm.
About the Author: Max Emelianov started HostForWeb in 2001. In his role as HostForWeb’s CEO, he focuses on teamwork and providing the best support for his customers while delivering cutting-edge web hosting services.