The people problem — security’s biggest blind spot

Reading Time: 3 minutes

How organisations can turn their biggest security threat — people — into their best security asset. But relying on people as the first and best line of defence requires well-trained professionals and there is a shortage.

Sensitive data breaches are on the rise. The incidence of breaches with selected losses of more than 30,000 records has exploded since 2004. With a growing worldwide cyber-skills shortage and a litany of evolving threats — such as the weaponisation of AI — it’s not surprising that governments are putting more stringent regulations in place to force businesses to better protect their data.

These issues are undeniably concerning. However, human error and ignorance remain the easiest vectors for hackers to exploit and are often the biggest security blind spot for the enterprise. In order to overcome this challenge, businesses must transform people — their greatest security vulnerability — into their biggest security asset.

The Ponemon Institute’s 2017 Cost of a Data Breach Study found that in the US 25 percent of all attacks were due to employee or contractor negligence. More worryingly, here in the UK, the latest quarterly statistics from the Information Commissioner’s Office (ICO) revealed that four of the five causes of data incidents involving the ICO were caused by human error and process failures (including loss or theft of paperwork, data posted or faxed to incorrect recipients, data sent by email to incorrect recipients, and loss or theft of an unencrypted device).

People-centric security 

Analyst firms such as Gartner advocate moving towards ‘people-centric security’, which encourages organisations to reduce reliance on stacks of tools and compliance checkboxes, and instead favours the power of the human element in fending off attacks and reducing security errors. Relying on people as the first and best line of defence requires well-trained professionals; however, research shows that security awareness training for employees is sorely lacking across the cyber-security industry.
Furthermore, many IT departments run cyber-security programmes in the background, which keeps cyber-security off employees’ radars and only compounds the problem. When employees are not educated on cyber-security protocol and processes, they are not invested in data protection and are often unaware they’re handling sensitive data that requires specialised oversight and care.

Cyber skills gap

Adding to the people problem is the cyber-skills gap. ISACA’s State of Cyber Security 2017 found that 37 percent of respondents believe fewer than one in four candidates have the qualifications employers need to keep companies secure.
Indeed published research in January 2017 that claimed Britain’s cyber-security skills gap was the second worst in the world, with demand for cyber-roles exceeding supply. The greatest skills gap is in cloud security, with the share of jobs posted exceeding candidate interest by nearly ten to one, followed by identity and access management. The mismatch is less severe in malware security and disaster recovery, wherein demand exceeds supply by four to one.
Alongside the concern around cyber-skills, there is the challenge of emerging technologies that can be used for nefarious intent, such as the growing use of AI and machine learning by bad actors who are well-funded, advanced, and moving at the speed of start-ups. Indeed, these audiences are highly motivated and stand to gain immeasurably by going after lucrative targets. In comparison, information security moves at speed of regulation, and is always playing catch up.

Creating a culture of cyber-security

To address these issues, governments must continue to prioritise cyber-security funding and initiatives. The founding of the National Cyber Security Centre and GCHQ’s CyberFirst programme, which includes a ‘girls-only’ competition, are good examples of this commitment in the UK.
Concurrently, businesses have a responsibility to build a strong data protection culture from the bottom up. Employees must be invested in the protection of their business or organisation, and whenever possible, should be part of the solution. By using integrated security workflows — including discovery, classification, and encryption — employees are empowered to correctly handle data at creation, and when storing or sharing.
We are certainly moving in the right direction. When customers, governments, businesses, end-users and employees are equally invested in protecting data, the human-factor in cyber-security defence is fostered, and the risk for human error minimised.

Written by Matt Little, chief product officer, PKWARE  and Keith Vallance, product director, Boldon James for SC Magazine