The human element was a fitting theme for RSA this year. For starters, there was the concern around COVID-19 breaking out among the 40,000-plus attendees crowded into the Moscone Center in San Francisco. Out of an abundance of concern for their human workers, several large vendors decided not to show at RSA this year, including AT&T, IBM and Verizon. (For these reasons, I, too, cancelled my trip to RSA.)
RSA’s organizers had no idea this epidemic was coming when they themed the show around the human element. But it is a good example of how humans are the most important part of the businesses and agencies that employ them.
Faces of Humanity
However, humans are also a top risk. Phishing is still a leading vector for attacks because it is good at tricking and manipulating humans to click and download content that looks legitimate. Humans also misconfigure systems, develop insecure programs and share too much online.
“It is critical to remember that cybersecurity is not the average user’s primary task. Their performance is not measured on their cyber behavior but on their critical tasks. To them security just gets in the way,” says Mary Frances Theofanos, an analyst for the Usable Cybersecurity program at the National Institute of Standards and Technology (NIST).
In other words, don’t expect employee training, by itself, to fix this problem. Attackers will always grow more sophisticated in their methods, and even seasoned professionals will get caught in their webs.
Traces of Security
By examining press releases and holding calls with vendors during RSA, it’s clear that sponsors were all over the human element. Vendors at the show highlighted their employee education and insider threat protection, third-party risk management, and behavior analytics tools. They also showcased their endpoint, email, and browser isolation technologies. But don’t expect today’s security solutions to solve the problem either.
“Human interactions with machines are still the threat actor’s gateway to information. Education and training needs to be a part of organizations’ defensive posture, while at the same time internal technologies, such as access control, spam filters, encryption and data classification, must get better,” says Todd Carroll, VP and CISO for data leak detection vendor CybelAngel and former FBI cyber investigator.
While these technologies are useful, they still do not understand the human element well enough to prevent costly mistakes by employees. Take, for example, passwords.
“Let’s face it, we all hate passwords. But look how long it has taken to move away from them and why--predominantly because it was a cheap and easy solution for the developers,” says Theofanos. “The cost for the user was rarely considered until very recently.”
Recent developments like password managers, Apple keychain access with biometrics and Windows Hello multifactor authentication for business (embedded in Microsoft Windows 10) are good steps forward. However, these technologies are still not intuitive enough for users to manage, particularly across their multiple devices. It would be easier for users if passwords went away altogether.
So technology (all the way down to the OS and hardware layers) needs to get more intelligent about how users interact with their systems while accomplishing their work-related tasks.
“We must understand human behavior and work to meet the user’s needs,” Theofanos continues. “We have a saying: Make it easy to do the right thing, hard to do the wrong thing and easy to recover when the wrong thing happens.”
That type of thinking will take an even greater cultural shift on the part of developers and security professionals. Ultimately for the user, security should be automatic and barely noticeable. For the developer, user enablement should be the primary goal.