The Uber data breaches have been a tale of mistakes made at both the executive level and user level. Why do these risks occur and how can they be properly managed? Solving this problem may require digging to the foundation to find out why existing tools, policies, and strategies are not working.
Diagnosing risks and effecting a meaningful shift in corporate culture and policies requires critical thinking, communication to uncover the “story” behind the symptoms, and an inventory of assets to know what is at risk and who has access. Risk management requires C-suite dedication to the honest evaluation of what actually creates cybersecurity risks.
A recent article, “Time to Change Our Flawed Approach to Security Awareness” says the only way to defend against phishing is to start at the fundamentals: “What makes users vulnerable to phishing?” Psychological habits and beliefs are primary and “many of us … acquire media habits, from opening every incoming message to rituals such as checking emails and feeds the moment we awake. Some of these are conditioned by apps; others by organizational IT policy. They lead to mindless reactions to emails that increase phishing vulnerability. “
Cybersecurity awareness training is often touted as a way to help stop breaches, but education should engage employees in a way that stands out from other company training. If it feels like a rote education initiative or a check-the-box item, it’s likely to fail because it only takes one person making one distracted mistake to result in a data breach. People are often busy with their jobs that have nothing to do with cybersecurity and are conditioned to efficiently use technology like email to communicate and complete tasks.
On September 1, U.S. government offices launched the fourth-annual National Insider Threat Awareness Month and this year the focus is on critical thinking. The CSO article says that to minimize insider theft, organizations should identify the most commercially sensitive assets, identify the individuals with access to them, and provide them with enhanced insider threat training. Insider threats are frequently unintentional and careless, however malicious threats often get more attention. Jon Ford, managing director, insider threats at Mandiant, told CSO:
“This is a major flaw as unintentional insider threats represent the largest group of insider threats. Most research suggests that careless insiders cause 50% to 75% of insider threat events.”
This insider threat awareness initiative suggests that identifying sensitive assets (what’s at risk), assessing insider risks (who has access), and improving critical thinking (why assets are at risk) are all foundational to reducing the threat of data breach.
Critical thinking is vital to cybersecurity awareness both at leadership and individual levels. Wikipedia defines critical thinking as “the analysis of available facts, evidence, observations, and arguments to form a judgment.” The purpose of critical thinking is to help “uncover the assumptions and evidence that underpin people’s thoughts” in order to question habits and automatic thinking/judging. Taking time to consider assumptions, form your own observations, and establish information quality and sources is the key to better decisions.
However, to engage critical thinking a person must realize that an event warrants using the analytical part of their brain, which takes more energy and effort especially if it isn’t something the person is interested in or has experience with. Time constraints, uncertainty, disinterest, or lack of resources often override the suspicion that something is amiss.
Unfortunately, many people have been conditioned from past experiences to feel that emails are generally safe, or they believe that their company’s IT department or technology is (or should be) handling these threats for them. People may default to the assumption that “it’s probably okay” or that company security will solve it.
Threat actors know users are often distracted or uncertain. Hackers are continually innovating social engineering to take advantage of mindless behavior, social and workplace pressures, and human curiosity through lures that seem urgent, familiar, or safe.
For example, researchers with Cisco Talos recently reported on a new malware campaign that uses phishing emails regarding fraudulent job opportunities with the U.S. government to infect victims with leaked versions of Cobalt Strike beacons, and CISA warned users to remain on alert for malicious cyber activity following Hurricane Ian.
The focus on people and how they interact with assets and technology is timely, as a new study released by the National Cybersecurity Alliance and CybSafe found that “even though more than half (58%) of tech users that had access to cybersecurity training or education cited that they were better at recognizing phishing messages and related attacks, 34% still fell victim to at least one type of cybercrime.”
The importance of establishing information quality and sources is important for both user behavior and decision-making. For example, one of the biggest false news stories in September was about a coup in China that dominated Twitter and made it onto one of India’s most-watched news channels. This incident shows how fast disinformation spreads. People may assume data is correct based on whether they feel the source is trustworthy – even if the source doesn’t deserve that level of trust.
KrebsonSecurity also has been reporting on a proliferation of fake CISO and executive profiles on LinkedIn that are actually confusing search engine results and being picked up by some data-scraping news sources. And threat hunters at Microsoft discovered that a North Korean government hacking group is using social engineering tactics on LinkedIn to connect with employees in multiple industries to send them legitimate open source software laced with malware capable of data theft, espionage, financial gain, and network destruction. Both algorithms and people can be deceived without methods of validation.
Data source and lineage are also important internally at companies to establish data quality and security. Data governance goes beyond external phishing and should encompass all data that is being used for analytics and projects. Asset identification, inventory, management, and monitoring is an important step that may be overlooked to ensure the quality and security of new and existing data.
Articles we recently published on how to tackle cybersecurity critical thinking and data governance include:
- Three ways to reduce cybersecurity risk: bias education, collaboration, and intelligent automation
- Cybersecurity awareness benefits from data discovery automation
- The root causes of cybersecurity risk and how automation can help
- Cyber resilience requires managing human risks and leveraging innovation and automation
Managing Risk Requires Accurate Data and Clear Communication
Cybersecurity can be a challenging problem to solve, especially when CISOs and security teams are also under pressure. The recent conviction of Uber’s former security chief found guilty of covering up the massive 2016 data breach was likely related to his own critical-thinking breakdown due to pressures he felt to protect his reputation after the breach. The conviction came right after a new Uber breach by teen hacker gang Lapsus$ in September 2022 that resulted from a contractor who succumbed to a teenager’s multifactor authentication (MFA) fatigue attack.
A new report from Rezilion and the Ponemon Institute also found that nearly half of DevSecOps respondents reported backups of 100,000 to 1.1 million vulnerabilities. Why are companies allowing these risky backlogs to pile up? “Respondents say the primary problems are information and tools … 45% say they don’t know enough about vulnerability risks, and 43% say they do not have an effective arsenal of security tools.” This is concerning in light of the fact that a SANS Institute survey found “around 40% of ethical hackers … said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness.”
Power dynamics, hierarchies, biases like groupthink and the status quo, and conditioning all convene to inhibit internal communication on threats and proper risk assessments. Without accurate data and clear communication, it’s difficult for critical thinking and effective decision-making to take place.
What can security professionals do to help solve these challenges at both the user level and the C-suite level?
The U.S. Cybersecurity Infrastructure and Security Agency’s deputy executive assistant director for cybersecurity spoke at a recent FCW Summit on IT Modernization and said some federal agencies are struggling to begin Zero Trust and that the change will likely require a high-level commitment towards “breaking down cultural barriers.”
A company’s culture is composed of ideas and policies that can be changed. One article, “CIOs: Time to Sense Transformational Needs, Create Agility” says that “at a personal level, CIOs need to be the change they expect from others. They need disrupt themselves personally. A part of doing this better is communicating the need for change while empathizing with people’s worries.”
An important part of critical thinking is personal observation, meaning you’re questioning previous assumptions and seeking out information firsthand by asking questions. Ownership of technology belongs to security and IT teams, so if users are making mistakes, a first step might be to actively listen to staff at different levels and departments. Those stories can reveal insight into what processes and tools may be needed to improve cybersecurity, as well as fostering collaboration and communication among staff so people feel more engaged.
In a CSO article, “Why CISO Roles Require Business and Technology Savvy,” Bob West, CSO for Prisma Cloud, a division of Palo Alto Networks, references his mentor’s success telling effective stories to leadership and board of directors. “When my boss hired me, he said, ‘Know how to tell a good story and know your audience.’ It’s a different track when talking to a board of directors than it is when talking to a CIO or internal auditor.” Barbara Filkins, a consultant at Syntax2Semantics LLC who has worked across multiple sectors, adds:
“Communication begins with active listening. Listening leads to better communication and, most importantly, understanding of what you need to address in terms of the domain being protected, whether healthcare, aviation, or water management.”
The article “Storytelling: A CISO’s Superpower Against Cybersecurity Indifference,” discusses how CISOs can benefit from adapting storytelling to support goals of better communicating the cybersecurity imperative at all levels of the organization. People recall details and facts better when information is explained in story form. “Storytelling can be important for CISOs who need to drive cultural and organizational change with staffing shortages and lack of cyber awareness.”
With the Great Resignation affecting employee retention and cybersecurity in particular, the story about the mental and emotional state of your human assets should accompany presentations on the performance and risk of data and other assets. Employee turnover also leads to increasing insider risks.
There are great examples of creative insight and cultural shifts using real-life stories from “CEOs, educational reformers, four-star generals, FBI agents, and airplane pilots ” in Pulitzer-Prize-winning journalist Charles Duhigg’s book Smarter Faster Better: The Transformative Power of Real Productivity. One notable case is from the re-opening of a dysfunctional Toyota plant where new habits were instilled by top leadership taking ownership of whether line employees felt psychologically safe and were empowered to personally halt the production line to ensure the quality of each task. Changing company culture and mindsets were recognized as major factors in success.
With data growing at exponential rates, it’s important to also recognize that an inventory of your assets is necessary to determine what is at risk, the quality of the assets, and who has access. Without having processes and tools to help manage all that data, decision-making may be impaired by relying on data that is inaccurate, unsafe, and/or incomplete. CISA’s Zero Trust Maturity Model specifically recommends that an organization “continuously inventories data with robust tagging and tracking.”
“Most organizations don’t understand where their high-value data is and how it moves around. And the vast majority of organizations we talk to, do not do sufficient data discovery and classification, both of which are needed to some extent for a proper microsegmentation project. Just knowing what data you have and where it lives is a hard problem to solve.”
As we describe in our articles, intelligent AI/ML automation with a human-in-the-loop can improve data management, monitoring, and real-time decision-making while increasing innovation and job satisfaction. Unfortunately, without past emphasis on data governance, security, or data privacy, current and former employees have likely mismanaged files leading to security and compliance risks or data errors that affect decisions.
Do you know what and where all your data is? Can you monitor changes to your data estate? Is there unencrypted business intelligence or PII data that should be identified and protected? Do you have legacy, misfiled, duplicated, or over-retained data that should be moved or deleted? Are there security risks like password files in plain text?
True AI/ML data discovery automation can comprehensively identify, index, and workflow all unstructured and structured data that is living in your data stores. Clean data up, protect it, and then keep it that way with ongoing, automated monitoring. Improve decision-making while saving IT staff from manual processes and reducing data breach and storage costs.
See what risks might be lurking in your data estate by testing out data discovery on your own data with a free 1 TB Test Drive of Anacomp’s D3 AI/ML Data Discovery & Distillation Solution.
This article is an updated version of a story that appeared in Anacomp’s weekly Cybersecurity & Zero Trust Newsletter. Subscribe today to stay on top of all the latest industry news including cyberthreats and breaches, security stories and statistics, data privacy and compliance regulation, Zero Trust best practices, and insights from cyber expert and Anacomp Advisory Board member Chuck Brooks.
Anacomp has served the U.S. government, military, and Fortune 500 companies with data visibility, digital transformation, and OCR intelligent document processing projects for over 50 years.