The Human Element: Security’s Biggest Problem or Greatest Asset?
The Human Element: Security’s Biggest Problem or Greatest Asset?
The RSA Conference is known as the place “where the world talks security. Here at Ericom, we’re excited to be part of the experience. If you’ll be there, too, we’d love for you to stop by booth #6474 (North Expo), say “hi” and learn more about the Shield platform.
RSA Conference is one of the biggest and most important security conferences in the world. When it was first held in 1991, there was one discussion panel with just a few attendees. Now it is where some of the most critical new ideas in security are formulated and it’s attended by nearly 50,000 security professionals, enthusiasts and vendors.
Each year the team behind RSA chooses a theme for the conference. This year’s well-chosen and significant theme is The Human Element. When it comes to cybersecurity, the human element is unquestionably something that can, and does, get organizations into hot water.
Your Humans are part of “What’s Broken” in Security
We have all heard IBM’s jarring statistic, which concludes that human error plays a contributing factor in over 95% of security incidents. Jarring, but not surprising. Most of the attacks that make headlines start with weak passwords, a bug in the code, a bad decision to click a link, or an update that someone neglected to install.
For example, 2017’s WannaCry took root as fast as it did because it penetrated unpatched computers running Windows operating systems. The patch had been released a few months prior but not enough organizations took the time to deploy it.
Equifax’s gigantic hack in that same year was caused by an unpatched Apache Struts vulnerability. Here again, the Apache Foundation sent an urgent notice to all users, imploring them to deploy the necessary patch ASAP. The notice went ignored by the responsible team at Equifax and the rest is, as they say, history. And in 2019, a breach of Capital One’s cloud server leaked the data of over 100 million customers. The leak was most likely caused by a server misconfiguration, which, again is something entirely preventable with due diligence.
Companies continue to throw money at the problem, hoping that with patch management systems, awareness training and exercises, coupled with threats of repercussions, people might change their risky behaviors. But awareness training isn't a perfect solution—there will always be some employees who, despite training and warnings, will continue to click links, use passwords like “p@ssword123”, write imperfect code, and push off updating their OS and software ad infinitum.
So, your humans -- they are a key part of what’s broken in security.
Are People Really to Blame?
On the other side of the human element coin is this: Perhaps the problem lies in accepting that human nature is responsible for what’s broken in security. Maybe the “humans are the main problem” camp has got it all wrong.
Security breaches and incidents don’t necessarily take root because someone was lazy, negligent, or inattentive. For example, some organizations, especially in industries such as healthcare, cannot patch systems as soon as a patch is released because patches sometimes cause unexpected issues, and they can’t expose mission-critical functions to risk. Sure, this may put them at other risks in the meantime, but given the choice, it’s reasonable to wait.
Now, consider phishing campaigns; attackers are A+ students of human nature. They know just how to get people to do what they want. Don't think for a moment that today’s polished phishing scams resemble the badly worded, ill-conceived semi-threats of the past. Today’s phishing emails and rogue websites are dead ringers for the real things. So even your best and brightest employees might find themselves somehow introducing dangerous malware into your organization. And then there’s this; if even spam filters miss especially tricky phishing emails, can we really expect humans to perform much better?
Your Humans are What’s Right in Security
Users are the primary asset of any organization; your solutions should make it simple for them to succeed and stay safe. Security shouldn't require employees to jump through hoops to use resources, nor should it impact their user experience. (Among other reasons is that employees who feel frustrated or hindered by their current security tools often create serious issues by using unsanctioned devices or shadow IT tools that are unaccounted for.)
So perhaps instead of finger wagging, the focus should be on finding solutions that don't depend on (understandably) undependable people. Technology-driven problems need technology-driven answers. This is the approach we take with Ericom Shield; we accept the unfortunate truth that the internet is full of garbage (a cesspool, if you will), and that it’s neither fair nor smart to expect users to fully assess, identify, and avoid the true threats.
All this explains why our platform isolates all content—known good, known bad, and just plain unknown—in remote containers that are disposed of at the end of each session. Threats that come from improper coding or unpatched software and operating systems cannot reach endpoints to make their way onto your systems. And all attachments and links are opened in isolated remote containers too, so the threat of falling for phishing is neutralized. Finally, unknown potential credential theft sites can be opened in read-only mode. Users experience no change from regular browsing, yet they can surf the web and access the resources they need as they wish.
Perhaps this emphasis on empowering the human element is why SC Media has chosen Ericom Shield as a finalist in their Trust Awards “Best UTM Security Solution” category at the prestigious 2020 SC Awards. The awards honor innovative technologies that go above and beyond when it comes to protecting users and data. The awards ceremony will be held near the Moscone Center at the Intercontinental Hotel on February 25th. We’ll be there and we hope we will see many of you there as well.
At Ericom, we believe in the power of people to make a difference. As RSA says, “When we recognize that cybersecurity is, fundamentally, about people protecting people, the world becomes a better, more secure place.” This is a world we’re proud to be part of.
Will you be at RSA? Look for Ericom throughout the week at these venues:
- Ericom will be at Booth #6474 (North Expo) demonstrating Ericom Shield and sharing details on how enterprises are deploying the solution as part of their Zero Trust Security strategies.
Cloud Security Alliance Summit
- Ericom, an active member of the Cloud Security Alliance (CSA), will have a number of team members, including Ericom CTO Nick Kael and CPO John Petersen, participating in the 11th CSA Summit on Monday, February 24.
AGC Partners’ 2020 Information Security & Broader Technology Growth Conference
- Ericom President and CEO David Canellos will be presenting on Ericom’s secure web and application access solutions on Monday, February 24.
Visit Ericom’s RSA Conference webpage to schedule an appointment with an Ericom team member to learn more about Ericom Shield Zero Trust Browsing.