Artificial Intelligence, User Behaviour Analytics, Zero-Trust… these are the buzzwords the security industry is currently dominated by. The developments to cyber security technology which have been made over the last few years are incredible, developments that are absolutely essential in the progression towards a more secure world. A key assumption in a lot of this development is that humans are simply a risk that needs to be mitigated by technology. To a certain extent, this is absolutely the right approach. However, despite everything we can do from a technology perspective, malicious actors will always exist and people will continue making innocent mistakes. Technology cannot solve every problem. So how can we effectively mitigate this risk? I believe we should adopt a more positive approach; an approach in which the aim is to transform humans from a security risk into a security asset. In short: user-driven security.
What do we mean by user-driven security?
User-driven security is a methodology which understands how people interact with data, why people make mistakes and ways to identify and prevent innocent mistakes/malicious activity. Using these insights, businesses are able to implement a simple strategy that involves educating users to understand how to operate in a more secure way, incorporating security policy as part of their day to day workflow and using the information provided by users to enhance the cyber security technology the business already uses. This process can make businesses more secure and more efficient.
Why are people seen as a risk?
When you look into the plethora of research available on the reasons behind, and causes of, data loss, it’s clear to see why people are seen as such a risk. For example, The Information Commissioner’s Office (ICO) produces statistics about the main causes of data security incidents and in cases where they have taken action, human error and process failure tend to be the leading cause. More specifically, the reasons tend to be things such as: loss/theft of paperwork, data sent to the wrong recipient or loss/theft of an unencrypted device. It’s easy to see how and why these events can occur so easily. Let’s take a look at three of the key reasons:
- People are busy and huge amounts of data are created every second
- Data is becoming the most valuable asset a business has, which incentivises malicious actors to try and steal it
- Businesses (and therefore, employees) don’t tend to understand the value of each piece of data they create
The effective use of technology does go a long way to overcoming some of these challenges. However, using technology alone still leaves gaps and in some instances has an adverse effect on productivity.
Next in this three part series, Aaron will be looking at the 3 main steps you need to take for a user-driven approach.