Security, Technology and Securing Human Behavior

There is a major tug of war regarding security, technology, and how to secure human behavior. Technology is designed to make our users and companies more productive, increase information sharing across platforms, and provide the resources people need to service customer needs and increase profits. Businesses require the technology to connect more systems, have deeper integration, increase customer service, which has created a security nightmare for technologists and developers when it comes to risk management and mitigation. The speed at which we are changing the work environment in 2021 is also providing an opportunity for organizations to spread ransomware and other malware. The most considerable risk we face right now is the feeling that technology alone will protect us. Still, the reality is it won’t because the weak link in security is the human, so how do we control and increase awareness to lower the human risk?

Many studies have been done on why threat actors target humans, and basically, it comes down to two factors, laziness and human flexibility.  Both characteristics are rooted in Social Engineering; you can’t have social engineering unless both characteristics are present.  Some people call it human nature or human behavior patterns; either way, it all comes to a head when you are trying to secure anything, a house, a car, or your technology. However, if you can systematically remove either characteristic, you reduce or eliminate the ability to social engineer, and your security risk goes down.

Before we get too far, let’s look at what laziness and flexibility in human behavior mean when it comes to technology.  When talking about laziness and employees, what it comes down to in most cases is a lack of understanding of why things work or don’t work the way they expected. Technology policies are not clearly defined, nor are they clearly explained to employees, which creates confusion.  Employee technology orientation and security training should be a crucial part of learning your business for all employees and new employees. Providing them with a written policy containing an exact checklist of appropriate and inappropriate uses of technology will help build that culture of security within your organization from the first day of employment.

When talking about social engineering, there are still some tricks that hackers will use, and employees still fall for them that put your networks at risk. According to the CSO United States, here are the five top social engineering tricks.

• Trick one, responding to an email that looks official. Always make sure that you know the person who is sending you emails. Scammers have become very good at making emails look official, so don’t be afraid to pick up the phone and verify that agency or person that sent you the email.  Scammers have started to add company or vendor logos and signature lines of spoofed emails, ensuring that the sender's email address matches the signature line.  You should also check to make sure the phone number is correct and the sender's return address, which you can get simply by mousing over the email address. Scammers will also use subjects that you are interested in or would likely get your attention “Review this resume” or “Payment due” or an old favorite, “You need to update your account information.”  These are all things that catch people's attention, and based on time of day, workload, or other job stresses, employees may not go through the standard checks that they would typically go through.

• You missed a voicemail; this is becoming a widespread trick, and hackers and scammers have seen an increase in the success in using this trick due to the higher-than-average work from home workers. Also, unified communications have made it a little harder to tell what is real and a phishing hoax. These two factors can, without proper training, fool people into responding to these emails or voice mails. When people respond by returning the phone call, the scammer asks for access to their system because they have determined to have a security issue, malware, or some other critical item. The user allows access through a remote connection, where at that time a Trojan, virus, or malware is loaded and executed under the disguise of fixing your issue.

• Trick three, Free stuff; we all love free stuff, and studies have shown that if you offer someone something for free, they are far more likely to respond to the email or click on the link. Columbia University's study showed that if you offer people a dollar to respond, responses go up by 30%. If you offer people five dollars, then responses go up by 65%, and it is because we have built a society where even small free tokens of appreciation get huge responses.

• Drive-by downloads, anti-virus is good, but it alone is not the complete security package. You must take a layered approach to security, and in some cases, it may seem redundant, but each layer can be designed to a countermeasure for a threat window.  All software has weaknesses, and in some cases, hackers have written software into their viruses that can exploit those weaknesses and bypass your security measures. These exploitation methods can be embedded in websites, phishing emails, social media, and sometimes hackers can take advantage of a legitimate website that is not adequately secured and embeds viruses in those websites. Some easy countermeasures are implementing a website monitoring program and disallow sites like social media, outside email sites, along with the traditional websites you should be filtering.  Remove local administrator rights on the workstation; in most cases, these programs need to modify the local workstation's active directory; they won’t load without administrative rights.

• Using open WIFI has become a massive issue due to the volume of workers working from home or remote offices. Employees now desire to work from anywhere at any time, so public WIFI and WIFI in coffee shops, motels, or fast-food locations have become very popular. It is always a general recommendation not to connect to open WIFI; keep in mind that open is open, there is no filtering, and people can see you if you can see the Internet. It is always recommended to use your own cellular service verse open WIFI, and the cellular service is far more secure and less likely to be hacked. Home WIFI is typically not secure or very well secured, allowing neighbors or others to connect from the outside. If you have home workers, you should consider having your IT people check and ensure that their home WIFI is appropriately hardened and secure.

Can human behavior change? Or do we need to succumb to who we are, and we are going to make mistakes. We all can agree that mistakes will happen for various reasons; the goal is to understand why the mistake was made, improve our understanding of the mistake, and then use education and awareness to improve.  Software developers try to understand how they can leverage what is known about human perceptions and habits to create security models that provide countermeasures to those preset perceptions that technology will protect you. Writing programs to this level can be difficult because everybody reacts to and develops individual perceptions. Accounting for a wide range of variables that account for all these perceptions is an ongoing battle.  Some factors can contribute to the modification or identification of how security and human behavior interact.

• Overreliance on security products, there must be countermeasures to protect the company and users, and these come in the form of security software or devices that manage security processes. These countermeasures may start with policies and procedures to outline security measures; other things that play into human behavior are physical and mental workloads, changes in behavior, and the soft dollar costs of merely getting through the daily tasks. However, research has shown that when people feel stressed or physically overworked, they tend to lean on the security product to protect themselves verse maintaining their awareness.

• How security decisions are made has always been my goal to integrate security into the system's overall design and implementation from the very beginning. However, many organizations op for a reactive solution of adding security after thinking that they have saved budget money and taken a more conservative approach to security due to company culture, fear of employee backlash, or simply rolling the dice on convenience over security. However, it is easy to secure a system beyond the practicality of running a business without considering human behavior, workflow, or workload of the individuals.

• Understanding how security works, as a technologist we have to keep in mind that the individual worker does not understand how security works. When employees bump into security measures and perceive that security is interfering with their ability to manage their workflow or complete primary functions, they tend to look for and use shortcuts or workarounds. That is why creating a culture of security within your organization is so essential, and employees need to understand how security works and the importance of security. Continued education and explanation of security measures with an open dialog of why things work the way they do will reinforce the importance and awareness of certain behaviors' risk to the organization.

There are many schools of thought when it comes to human behavior and technology.  Some believe that companies should automate security to the point where it takes human choice entirely out of the picture. The one variable that can’t be secured is the human, and most security breaches in today's computing world start with a human error. The people who subscribe to a full control methodology are trying to account for the human nature of wanting to be efficient in their work, with as little obstruction as possible. To that end, they are at times willing to shortcut security.

This methodology's thought process is that if you add transparency to the automation, you can genuinely control the files and folders' security, which reduces the threat of security breaches and data leaks. It is my opinion this is overreaching and overly controlling by the IT department or individual. It allows too much control of the business operation to be in the hands of people who don’t understand a business to decide what is good or bad data and what happens to that data and your business. At times, this approach can leave businesses and business owners feeling that they have lost control of their business operations and data because they have become afraid of the IT guy and what he knows about their IT and what he is hiding through resource management.

There are some interesting statistics around data breaches, according to Varonis:

• 34% of data breaches involved internal actors, which means security must apply internally and externally.
• 71% of breaches are financially motivated
• 48% of malicious email attachments are Microsoft Office Files
• 24% are related to Ransomware
• The average time to discover a breach is 206 days
• A cyber attack happens every 39 seconds

As impressive as these statistics are, the real problem is it is estimated that cybercrime, which includes stolen data, identity theft, ransomware, and other financial crimes, will be over six trillion dollars a year by the end of 2021. These statistics could be interpreted to say that although we know how to secure systems, the cybercrime industry is so lucrative that it will be an ongoing battle to manage security, invest in security, and stay aware of new and emerging threats. However, we can’t forget about the human and how important building a security culture is, repetitive training, so complacency doesn’t set in. Still, as business owners, we also make sure that we are aware of the stresses within our businesses that can contribute to security failures.