Written by: Tim Conkle, CEO of The 20
The Human Element
Threat actors target human laziness and human fallibility for their most effective attacks. Social engineering cannot exist without both being present. To shore up the human element, you need to prevent laziness and fallibility from being applicable. As you systematically eliminate both, you eliminate the chances for social engineering and phishing to work in the first place. Laziness and fallibility present their own threats, though.
Laziness often stems from a lack of knowledge and a lack of transparency. How can you know what the organization’s stance is if no one tells you anything? There has to be clarity and transparency about what the policies are and why they exist; otherwise, it’s easy to ignore them. Can an employee follow them the first day they’re there? If they can’t, you need either a new set of rules or a new employee.
Policy gives people a checklist so they aren’t left to their own devices. It provides a self-enforcing metric on whether they have done what they’re supposed to or not. Even if their adherence causes an issue, if they followed the checklist, they did what they were supposed to. Send the message, “If you follow policy, you’re going to be OK, no matter what happens,” and stick to it. If the policy causes an issue, fix it.
Human fallibility is deeper than just mixing up similar characters. A person who is amazing might be 98% accurate, but that means they’ll screw up in some way 2 out of every 100 times. Even if you put in place a review process, you’ll still never push 100%. You can get close, but there’s still going to be that rare miss. You may block or train against 999,999 phishing or social engineering attempts, but that one in a million one is going to ruin you.
Social engineering uses laziness and fallibility as its main tools, but social expectation plays an important role. The expectation of politeness and aversion to conflict in the workplace leads to a conflict between social expectation and work process. Without a uniform process being enforced, how can you reconcile the conflict between social expectation and work process?
A urinal is the riskiest and easiest place to pick a pocket. The average man will stare ahead to the point of absurdity due to the social expectation and unwritten urinal code. What happens when they are targeting more than a wallet and scan an RFID card? Laziness put the card where it could be accessed; human fallibility made the person miss the security threat. One feeds into the other. Social expectations were just the glue to make the attack possible.
Technology And Process
Technology is the flour; process is the oil, and enforcement is the heat. You have to have both the flour and oil to make a roux, but if you put them in a pan without heat, all you get is a mess. Too much heat, and all you get is a fire, though. The deployment of technology needs to be enforced, and the process needs to be followed, but there has to be a limit as well.
Make the process clear and understandable. Make the technology sane. People are going to slack off. They’re going to screw around, and they’re going to be inefficient. Know that they’ll do this, but curb it where it matters. The human element needs to be shored up, but it can’t be thrown out.
Security is a selling point. Ask any company if they don’t want security and see what they say. Not a single one will tell you they don’t want security. Now ask them if they’re willing to sacrifice convenience or efficiency for security and see where they stand. How many are left?
Sell security as a process toward efficiency. Backups aren’t just stopping ransomware; they’re stopping mistakes in the company from costing wasted time. Antivirus isn’t just stopping malware; it’s stopping downtime. Sell security as a way to make the business more profitable and more efficient.
Closing The Human Gap
The only way to close the human gap is to create a process both on the technological side and the human side. Combine the two in order to strengthen the technological side and reduce potential for abuse, and strengthen the human side to stop what makes it through. If you use a plain key, a lockpick can open the door, but what if you use the newest military-grade smart card? A person can still hold the door. Each side of the equation needs to be addressed or you don’t have a balance that means anything.
To close the human gap, you have to remember that people are going to be human. People need respect and understanding to function. Target the human element by removing the questions and omitting the uncertainty. People love to say, “I was just following orders,” because it gives them an excuse for what they do when it contradicts social standards. Give your users the chance to have a process that not only works with them but, most importantly, for them.