Grasping human behaviour is the key to improving cybersecurity
By Alvin Rodrigues, Senior Director and Security Strategist, Forcepoint Asia Pacific
Data corruption, denial of service attacks, data exfiltration, malware infection and insider threats – what do these have in common?
Answer: they were the top security incidents faced by Singapore-based organisations in the last 12 months, according to a recent Forcepoint-Frost & Sullivan Risk and Cybersecurity survey based on responses from 100 business and IT decision makers in the republic. They are also the incidents that more firms here would have sidestepped if they had better understanding of human – both hacker and user – behaviour.
In fact, many sophisticated cyberattacks today succeed because organisations have not considered human behaviour – for instance, intended malice or inadvertent human errors – when trying to safeguard their critical data and users. Firms need to better understand the context that gives rise to malicious, or inadvertent but nonetheless risky, behaviour.
As an example of malicious behaviour that could have been picked up by behaviour analytics, let’s say a sales manager in your company is downloading customer contact information. This action in itself may not be noteworthy, but if the firm has the technology to connect the dots to see the broader context that this person has been passed over for a job promotion and denied a pay rise due to poor performance, he may be assigned a higher risk score and the incident may be worth investigating. The sales manager could well have been downloading customer contact information to take to a new employer.
Examples of unwitting risky behaviour are easy to find. All companies have mostly honest and dedicated staff focused on getting the job done but who are ignorant in security matters. They can easily click on phishing emails that compromise corporate data.
The bottom line is that behaviour is a continuum that varies from employee to employee. It can also change in an instant for particular personnel depending on what’s happening to them personally or professionally. Modern cyberdefences must be able to make provisions for this.
The Frost & Sullivan survey reveals that three-quarters of Singapore firms have adopted cloud as part of their digital transformation. Given cloud’s pervasiveness, the application of human centricity needs to go beyond on-premise IT resources to organisations’ cloud deployments.
Businesses must reach out to their cloud service providers to get greater clarity on how their critical data is handled, and take on joint responsibility for the security of that data. Today, as many as 50% of the Singapore firms polled think cybersecurity is the responsibility of their cloud service provider. This is not good enough and the figure needs to go down a lot more for the modern borderless enterprise to truly improve its security posture.
Organisations’ concerted move to the cloud makes it urgent for them to fundamentally change their cybersecurity approach to better take into account human behaviour.
The first step is to stop thinking about security as a technical issue that can be solved only with technology solutions. Today’s sophisticated threat landscape is a multifaceted organisational challenge. Cybersecurity is therefore a business responsibility − it calls for insight into how data is being used across myriad business functions. Shifting the focus to understanding the behavioural patterns of people and their interactions with data provides clarity on “who” is using sensitive data, “why” and from “where.”
By taking a behaviour-centric approach to security, a baseline behaviour of users gets created for the cybersecurity team and business leaders to better manage risk. If an employee is working normally on the job, the cybersecurity team can get out of the way. But if the behaviour is inconsistent from the known pattern, the cybersecurity team can recognise the risk and quickly respond with coaching or stronger enforcement policies. Context matters. Security teams that only focus on securing computers and servers will miss the broader perspective and the signs of an incident or data breach until months or even years after it has happened.
As an example, let’s say an employee’s laptop was hacked. If an effective human-centric security approach had been in place, there is a good chance that the solution would know what the employee’s usual work behaviours look like, and could automatically flag to security teams if a hacker takes over the laptop and behaves in ways never seen before. The security teams can thus swiftly address and resolve the threat.
With threats becoming more sophisticated by the day, firms must take a risk-adaptive approach to security that would let them continuously assess the risk of each user and dynamically provide proportional enforcement. Only by prioritising risk profiles would companies be able to focus on dealing with activities that pose the greatest threat, thus freeing up resources for higher value work and improving the security posture of the business overall.
Data corruption, denial of service attacks, data exfiltration, malware infection and insider threats – what do these have in common?
Answer: they were the top security incidents faced by Singapore-based organisations in the last 12 months, according to a recent Forcepoint-Frost & Sullivan Risk and Cybersecurity survey based on responses from 100 business and IT decision makers in the republic. They are also the incidents that more firms here would have sidestepped if they had better understanding of human – both hacker and user – behaviour.
In fact, many sophisticated cyberattacks today succeed because organisations have not considered human behaviour – for instance, intended malice or inadvertent human errors – when trying to safeguard their critical data and users. Firms need to better understand the context that gives rise to malicious, or inadvertent but nonetheless risky, behaviour.
As an example of malicious behaviour that could have been picked up by behaviour analytics, let’s say a sales manager in your company is downloading customer contact information. This action in itself may not be noteworthy, but if the firm has the technology to connect the dots to see the broader context that this person has been passed over for a job promotion and denied a pay rise due to poor performance, he may be assigned a higher risk score and the incident may be worth investigating. The sales manager could well have been downloading customer contact information to take to a new employer.
Examples of unwitting risky behaviour are easy to find. All companies have mostly honest and dedicated staff focused on getting the job done but who are ignorant in security matters. They can easily click on phishing emails that compromise corporate data.
The bottom line is that behaviour is a continuum that varies from employee to employee. It can also change in an instant for particular personnel depending on what’s happening to them personally or professionally. Modern cyberdefences must be able to make provisions for this.
The Frost & Sullivan survey reveals that three-quarters of Singapore firms have adopted cloud as part of their digital transformation. Given cloud’s pervasiveness, the application of human centricity needs to go beyond on-premise IT resources to organisations’ cloud deployments.
Businesses must reach out to their cloud service providers to get greater clarity on how their critical data is handled, and take on joint responsibility for the security of that data. Today, as many as 50% of the Singapore firms polled think cybersecurity is the responsibility of their cloud service provider. This is not good enough and the figure needs to go down a lot more for the modern borderless enterprise to truly improve its security posture.
Organisations’ concerted move to the cloud makes it urgent for them to fundamentally change their cybersecurity approach to better take into account human behaviour.
The first step is to stop thinking about security as a technical issue that can be solved only with technology solutions. Today’s sophisticated threat landscape is a multifaceted organisational challenge. Cybersecurity is therefore a business responsibility − it calls for insight into how data is being used across myriad business functions. Shifting the focus to understanding the behavioural patterns of people and their interactions with data provides clarity on “who” is using sensitive data, “why” and from “where.”
By taking a behaviour-centric approach to security, a baseline behaviour of users gets created for the cybersecurity team and business leaders to better manage risk. If an employee is working normally on the job, the cybersecurity team can get out of the way. But if the behaviour is inconsistent from the known pattern, the cybersecurity team can recognise the risk and quickly respond with coaching or stronger enforcement policies. Context matters. Security teams that only focus on securing computers and servers will miss the broader perspective and the signs of an incident or data breach until months or even years after it has happened.
As an example, let’s say an employee’s laptop was hacked. If an effective human-centric security approach had been in place, there is a good chance that the solution would know what the employee’s usual work behaviours look like, and could automatically flag to security teams if a hacker takes over the laptop and behaves in ways never seen before. The security teams can thus swiftly address and resolve the threat.
With threats becoming more sophisticated by the day, firms must take a risk-adaptive approach to security that would let them continuously assess the risk of each user and dynamically provide proportional enforcement. Only by prioritising risk profiles would companies be able to focus on dealing with activities that pose the greatest threat, thus freeing up resources for higher value work and improving the security posture of the business overall.
Comments
Post a Comment