There is a serious user problem out there, and whether the user makes a mistake or is intentionally malicious, it can impact the entire system and the organization. But is it really a user problem?
In their session at (ISC)2 Security Congress, Ira Winkler, CISO with Skyline Technology Solutions and Tracy Celaya-Brown, president, Go Consulting International, said the user problem is really a cybersecurity people problem.
“People can’t do things that we don’t give them permission to do,” Winkler said. As long as a user has the ability to do certain tasks, click on links or see a spearphishing email show up in their inbox, they will make mistakes that can take down the network. The problem is not that users cause a loss, but that they can potentially initiate a loss, according to Winkler and Celaya-Brown.
A Failure of Leadership
One mistake shouldn’t take down an entire network. One person shouldn’t have the ability to cause universal panic because of the access permissions they are given. But it happens all the time, and the reason is failure of cybersecurity leadership. Remember the Twitter hack a few years ago where some of the most famous names on the social media site were victims of account takeovers? Winkler pointed out that social engineering techniques coupled with the fact that about one-fifth of Twitter’s employees had permissions to change passwords led to that massive cybersecurity failure. Or, in other words, the human problem was enabled by cybersecurity people and leadership who fell short in their responsibilities. Of course, you want users that will behave the way cybersecurity leadership wants them to, but the cybersecurity team needs to take a closer look at their actions, too.
“We have to take a closer look at why problems occur,” said Winkler. “The problem isn’t a user clicking on a link. The problem occurred when the user received the message.”
New School Safety Science
Improving Cyber Security Skills And Knowledge At Board Level