People will find a way.
Have you ever been stuck at a railroad crossing with no train in sight? Ever been tempted to
drive around the gates to get on your way? This is an example of a security control that people undermine.
A great deal of attention regarding cyber security focuses on the technology used. While the technology is certainly an important part of cyber security, experienced cyber professionals realize that it is only part of the solution. We in SideChannel often refer to cyber security as involving people, processes and technology. In this article I will focus on what might be the most important of the three: people.
People are critical because –if they are sufficiently motivated– they will find a way around processes and technology to accomplish a task. If they do not see a train coming and they want to get on their way, they can drive around the barrier. People can undo all of your cyber security efforts and investments with just the click of a mouse.
The motivations of malicious actors are usually either financial or nation-state interests. But what about non-malicious actors? Employees who mean no harm are even more likely to undermine technical controls and policies.
There are two categories of well-intentioned employees who can knock your security controls sideways; distracted employees and those who are just trying to do their job.
There are a host of academic studies dealing with distraction in the workplace and the impact on the performance of tasks. Cyber security policies and technical controls should be designed with the environment in mind. Staff should not be asked to make information security decisions unless it is a critical part of their actual job. An experienced cyber professional can help organizations design policies and controls that are effective without being intrusive, reducing the demands on the attention of employees.
Employees who are just trying to do their job
In almost every organization there are processes and technologies that interfere with people
trying to do their actual job. These things can add unnecessary complexity to a process or completely prevent people from doing something they really need to do. Guess what? If a security control gets in the way of doing their job people will find a way around it.
This does not mean the people are bad. It means the process or technology is weak and it needs to change. The great news is an experienced cyber professional can help figure out what is broken needs to change and help implement a process or technology (or both) that actually works to help employees do their jobs.
People can be a key part of your cyber security defenses. It requires that businesses and organizations actively engage with them. That way they can understand their role better and
so can guide to what processes and technologies need to change.
~ Michael Waters, SideChannel Principal Consultant.