Re-engineering Cyber-Consciousness of the Human Element of Cybersecurity

Written by

"Tell people there's an invisible man in the sky who created the universe, and the vast majority will believe you. Tell them the paint is wet, and they have to touch it to be sure.” If only Barbara Corcoran’s (of Shark Tank) bookkeeper was cyber-conscious enough to do something similar, she might have saved the firm from being scammed...

In February 2020, settled in a plush NYC office, Corcoran’s bookkeeper received an email from her assistant with an invoice for $380,000 from a German company. Since it was a fairly routine exchange, her bookkeeper sanctioned it. The mistake? She did not notice the email address the invoice was sent from did not belong to the assistant. The scammers had cleverly misspelt the name. The fraud was uncovered only when Corcoran’s actual assistant was copied on a reply to the original invoice! In Barbara’s own words: “Scammers found their way to me in the most clever and simple way.”

The cybersecurity industry is so focused on defending against modern and sophisticated cybercrimes while criminals are exploiting the most basic tricks to crumble economies one business at a time. The human element of cybersecurity is often underestimated, but inadvertent breaches from human error have cost companies $3.5m in 2019 alone. While 90% of breaches have a human element, only 10% of cybersecurity budgets are allocated to defend against them. This is especially dangerous as ransomware attacks were up 40% (199.7 million) in the third quarter of 2020.

COVID-19 has especially disrupted the way businesses looked at cybersecurity. With the world adapting to a new way of working, the impacts a cyber hack has on an organization is far greater. Cybersecurity is as important as physical security; a hacker can do more damage by launching a smaller scale, more amateur cyberattack than a physical crime. A Gallup’s survey shows that people are twice as afraid of being hacked than they are about physical crimes. Cyber-criminals use the average person as gateways to larger corporations, yet a one-stop-solution to personal cybersecurity is amiss.

When businesses are forced to make changes faster than they originally planned, it’s inevitable to find multiple loopholes left open to exploitation. Cursory research on social media, a look into publicly available records and voila! You are served on a platter to someone who has the means, time, energy and motive to scam you. People as educated and ‘trained’ as Corcoran’s staff fell prey to a simple trick. The reason behind this is that, despite the internet encompassing our life in virtually all aspects, we do not consider cyber-hygiene as a core value.

The pandemic has pushed businesses to re-imagine the way they can continue to function; employees are accessing business-critical data at less-secure locations and from unprotected devices. We need a cyber-aware economy, the collective solution to create one has two main aspects:

  1. Measuring individual Cyber Quotient
  2. Cultivating cyber-consciousness

As the environment around us evolves, so do the parameters to gauge intelligence. It is a simple input and output calculation, through which all-encompassing ‘input’ signals will yield the ultimate result - a Cyber Quotient.

Quantifying the human element of cybersecurity would involve input which can be garnered from people - who they are, what they know and how secure their personal or administered devices are. Other critical, yet often overlooked, information includes but is not limited to the level of education, criminal background verification or the pets they own and relationships they’ve had.

According to a Verizon Data Breach Investigations Report, departing employees admit to taking company data and 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement. This implies that organizations will need to delve deeper to ensure a more accurate measurement of their employees’ Cyber Quotient. Parameters such as an individual’s tenure, their work location, history of employment with competitors, role in previous breaches (if any), would also have to be considered.

To identify suspicious or ‘superhuman’ behavior, AI combines the input with feeds from IP addresses, logs of User & Entity Behavior Analytics (UEBA), Data Leakage & Prevention (DLP), Cloud Access Security Broker (CASB) and other organizational policies. Ironically, to contextualize threats as malicious or accidental, we’d need to rely on the unprejudiced calculations of a machine learning-based algorithm. It generates the output - a metric - that gives us the cyber quotient of each employee. By extension, this cyber quotient represents their individual breach likelihood.

Seemingly inconsequential details about an individual can speak volumes about their personal cyber-consciousness. In the future, the Cyber Quotient can become the basis for hiring employees, electing cyber-aware policymakers, building secure governments, resilient businesses and economies. Creating a generation that is digitally aware will take time and effort, we need to make cybersecurity and awareness intuitive and personalized for every individual. If measured dynamically, wouldn’t it be an asset for homes and businesses, nations and ultimately the entire world to have a re-engineered cyber-consciousness?

What’s hot on Infosecurity Magazine?