- Cybersecurity Awareness Month promotes the national focus on improving critical thinking around cybersecurity to reduce human mistakes that lead to data breach.
- Cybersecurity professionals can’t stop cyberattacks alone. Organizations must learn how human thinking and habits create vulnerabilities and then support policies, tools, and training that reduce human risks and create healthier cyber habits.
- Data discovery automation can help alleviate workforce shortages and improve data management. Employees are prone to mistakes with data overload. By prioritizing data identification and visibility, you can improve data governance in order to assess and manage past and present data-handling risks.
Cybersecurity Awareness Month takes place in October and for 2022 the Cybersecurity and Infrastructure Security Agency (CISA) chose a “See Yourself in Cyber” theme promoting critical thinking at both an individual and organizational level to reduce cyberthreats like weak passwords and phishing mistakes. Human risks to data are becoming more apparent and organizational policies may not realistically assess human bias, thinking, and behavior.
Right before Cybersecurity Awareness Month, the National Cybersecurity Alliance and CybSafe released, “Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2022.” The study found that “even though more than half (58%) of tech users that had access to cybersecurity training or education cited that they were better at recognizing phishing messages and related attacks, 34% still fell victim to at least one type of cybercrime … Also 46% of those polled felt frustrated while staying secure online, and 39% of users trying to keep safe felt information on how to stay secure online is confusing. Nearly a third (35%) presumed that their devices are automatically secure.”
The evolving nature of cyberthreats highlights the need to focus on tackling human, organizational, and technology challenges during the shift towards Zero Trust. Sophisticated threat actors find weaknesses around security tools and psychologically target employees. A few of the recent industry articles include on these advanced threats include:
- Microsoft 365 phishing attacks impersonate U.S. govt agencies
- The deepfake danger: When it wasn’t you on that Zoom call
- IRS warns Americans of massive rise in SMS phishing attacks
- Cobalt Strike malware campaign targets job seekers
These attacks are just a few of the many and demonstrate that threat actors are targeting human lack of awareness. These fast-moving, camouflaged attackers have found serious cracks in our cybersecurity armor: our beliefs and habits. Hacker innovation and automation have enabled an enormous influx of phishing, vishing, smishing, spear phishing, and other social-engineering attacks.
Cyber pros have a lot on their plate defending against adversaries out to steal data, and supporting effective cybersecurity awareness training, digital transformation, and monitoring can be a bit of a juggling act that is taxing to the healthy mindset of security teams. With challenging workloads, cybersecurity professionals likely know a thing or two about strong coffee and strong passwords, as this tweet posted by Joseph Steinberg, author of Cybersecurity for Dummies, implies.
Maintaining a sense of humor is important for morale, but security teams also need help from the C-suite to address the organizational and psychological aspects that require a new way of thinking, as well as investment in automated tools that can enable focus on big-picture tasks.
One weak spot difficult to defend is that new employees are often targeted by threat actors because they may be stressed, eager to please their boss and other staff, and overwhelmed by new technology. These new hires are being targeted on LinkedIn and by hacker research using social media profiles and other methods.
A Dark Reading article, “Time to Change Our Flawed Approach to Security Awareness,” says we have to start with fundamentals: “What makes users vulnerable to phishing?” The author points out that the science of security has identified cognitive risk factors like cyber-risk beliefs (how safe it is to open files) and acquired media habits (like opening every incoming message). Some of those habits are conditioned by “apps and others by organizational IT policy. They lead to mindless reactions to emails that increase phishing vulnerability.”
However, it’s not just nontechnical users who are targeted. Another article reported that developers are increasingly under attack with hackers using misconfigurations and social engineering to exploit the production environment via Slack and other DevOps Tools. The article quoted Mark Loveless, a staff security engineer at GitLab, who said, “Many developers continue to leak “secrets” – including passwords and API keys – in code pushed to repositories.” He said:
“Developers often take security risks – such as setting up test environments at home or taking down all the security controls – so they can try out new things, with the intent of adding security later … Unfortunately, those habits become replicated and become culture.”
In addition to outsider threats, the insider threat to data assets from disgruntled former employees is often overlooked. A 2022 Beyond Identity survey found that “83% of former employees acknowledged that they maintained access to accounts of a previous employer. And 56% of the respondents acknowledged that they had used their access to harm their former employer; if they were fired that number was 70%.” Also “24% take company financial data, 24% take process related documents, and 24% take passwords.”
Leveraging Automation & Data Governance
Along with new and former employee data risks, securing data also requires existing staff, yet the cybersecurity sector faces an employment crisis. According to a TechRepublic article, “Cyber Seek lists more than 714,000 open cybersecurity jobs,” and Deloitte reports that “companies are turning to artificial intelligence (AI), machine learning (ML), and automated security solutions as force multipliers.” However, Ning Wang, CEO of Offensive Security points out that “an algorithm can’t think critically like a hacker or a human being” and so real people are still needed for higher-level tasks.
Using human-in-the-loop automation for tedious tasks with humans concentrating on more strategic activities can help reduce mistakes from data overload while improving job satisfaction and employee retention.
Understanding what promotes job satisfaction and why humans behave in reactive ways is now critical for data protection and cybersecurity. These questions and challenges have spurred a focus on cognitive security, psychological safety, and growth mindset, as well as recognizing the importance of data governance to establish data provenance and lineage (data sources and accuracy as it moves and is transformed). These areas all impact the overall security and quality of the data foundation that is used for decision-making.
Juliane Gallina, the CIA’s Associate Deputy Director of Digital Innovation, recently shared intelligence community priorities and threats in an Executive Mosaic interview. She emphasized it’s critical to know data provenance and lineage because incorrect information influences people’s perceptions and behavior. The influence of inaccurate ideas can be a serious problem at leadership levels and also at the individual level.
The Government Accountability Office study, “Information Environment: Opportunities and Threats to DOD’s National Security Mission,” found that, “The fusion of ubiquitous information and technology has granted individuals, organizations, and nation-states the ability to target the cognitive foundations of individuals – beliefs, emotions, and experiences – for purposes either benign or malign. The proliferation of ubiquitous information, misinformation, disinformation, and malinformation has prompted defense experts to begin examining the concept of cognitive security.”
Part of the challenge around data security and governance is that not only are there assumptions about cybersecurity awareness and literacy, but there are also assumptions about employee data literacy. Kim Herrington, a senior analyst at Forrester, wrote an article in CIO Dive, “5 Uncomfortable Questions to Improve Enterprise Data Culture,” stating that people and culture issues are the Achilles’ heel in transforming an organization’s data culture and she emphasized the need for workplace psychological safety. Herrington said:
“For future-fit organizations to be successful, employees must be motivated to embrace a growth mindset and leadership must enable adult learning behaviors. This must be done before enterprise-wide data literacy trainings are launched.”
Habit and mindset also affect managers and executives in how they approach learning about human risk and choosing tools to help mitigate those risks. Despite the clear threats to data from phishing and other social engineering, a recent report, “U.S. Businesses Experience 42 Cyberattacks Per Year,” found that:
- “32% of U.S. IT leaders still lack a management platform for IT secrets
- only 48% of respondents state they plan to invest in password management, visibility tools for network-based threats, or infrastructure secrets management
- transparency is a problem with 48% saying they were aware of a cyberattack in their organization but kept it to themselves”
Why do organizations underfund cybersecurity and staff feel they can’t communicate honestly and effectively? There are many dynamics and mental biases that hinder healthy collaboration, innovation, and decision-making. Check out our recent articles exploring these important topics:
- The root causes of cybersecurity risk and how automation can help
- Three ways to reduce cybersecurity risk: bias education, collaboration, and intelligent automation
- Cyber resilience requires managing human risks and leveraging innovation and automation
To combat risks, it’s imperative to become collaborative, break down both organizational and data silos, and seek accurate data on your assets in order to do meaningful risk assessments that are foundational to Zero Trust. Gaining visibility of assets and their attributes and learning how people’s conditioned thoughts and habits lead to mistakes are important steps to honestly assess your current state and risks. CISA and the U.S. government are leading the way in modeling some of these behaviors.
As we describe in our articles, with workforce shortages and data growing at exponential rates, intelligent AI/ML automation with a human-in-the-loop will be necessary for implementing both Zero Trust and data governance while preventing employee burnout. Unfortunately, with a previous lack of focus on data governance, data literacy, data security, or data privacy, many users have mismanaged files.
Forrester Research recently published research that discusses how lack of data discovery and classification leads to Zero Trust microsegmentation project failures. According to David Holmes, senior analyst at Forrester and author of the report:
“The vast majority of organizations we talk to, do not do sufficient data discovery and classification, both of which are needed to some extent for a proper microsegmentation project. Just knowing what data you have and where it lives is a hard problem to solve.”
AI/ML data discovery enables safer digital transformation by working kind of like an intelligent data search engine to comprehensively identify, index, and workflow all unstructured and structured data living in your data stores. Use tagging, risk filters, custom metadata, and federated search to correct mistakes and misfiled data, protect exposed business intelligence or PII, remove over-retained data, and empower your data analytics solutions. Keep data clean going forward with ongoing, automated monitoring.
Do you know what and where all your data is? Can you monitor over 950 file types in a single pane view? Is there unencrypted business intelligence or PII data that should be protected? Do you have legacy and over-retained data that should be moved or deleted?
See what risks might be lurking in your data estate by testing out data discovery on your own data with a free 1 TB Test Drive of Anacomp’s D3 AI/ML Data Discovery & Distillation Solution.
This article is an updated version of a story that appeared in Anacomp’s weekly Cybersecurity & Zero Trust Newsletter. Subscribe today to stay on top of all the latest industry news including cyberthreats and breaches, security stories and statistics, data privacy and compliance regulation, Zero Trust best practices, and insights from cyber expert and Anacomp Advisory Board member Chuck Brooks.
Anacomp has served the U.S. government, military, and Fortune 500 companies with data visibility, digital transformation, and OCR intelligent document processing projects for over 50 years.