The Root Causes of Cybersecurity Risk and How Automation Can Help

The root causes of cybersecurity risk and how automation can help

Key Points:

  • Human mistakes continue to be the root cause of data breaches. Habit, bias, and the status-quo interfere with our ability to realistically assess cybersecurity risks.
  • The U.S. government is escalating efforts to address both workforce shortages and sophisticated cyberthreats by spearheading organizational change that prioritizes collaboration, inclusion, transparency, and crowdsourcing of innovation.
  • With exponentially increasing data and a shift to Zero Trust, automation is a necessity to reduce human stress and mistakes from data overload, while also improving decision-making and increasing job satisfaction.
Security and managing data are the jobs of the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO). Yet with workforce shortages, cyberthreats rising, and human mistakes as the leading cause of data breaches, it’s beginning to seem like the CISO and the CIO must also act a bit like an organization’s “psychologists,” uncovering root causes of cybersecurity risks to the health and growth of the enterprise.

The recent hacking of Uber by a teenager, reported to be affiliated with the notorious Lapsus$ teen hacker gang, demonstrates once again how a single employee’s distracted decision, when targeted by a psychological attack, is a major risk factor. The hacker broke in by compromising a contractor’s multifactor authentication (MFA) using MFA bombing to fatigue the contractor until the victim approved the request. Breaches exploiting weak security tools and social engineering continually play out in the news spawned by nation-state threat actors, ransomware gangs, and teen hackers like Lapsus$.

Psychologists ask their patients to look beyond external negative symptoms and become aware of internal root causes. This process uncovers fixed and inaccurate mental rules (biases) that are being relied on that can lead to detrimental outcomes. However, complacency can be changed through communication, education, and awareness – from the leadership level all the way down to the user level.

Human mistakes are a major cause of data breaches. Yet many organizations continue to assume (despite evidence to the contrary) that staff:

  • are well-educated about cyber risks
  • know how to prioritize cybersecurity alongside completing job tasks
  • feel their efforts are valued and can safely give feedback
  • optimize security tools that may not be user-friendly, even when distracted by people and daily tasks

Human decisions are often made quickly based on habits and bias from past experiences due to pressures from:

  • social conformity (two-way feedback is not encouraged)
  • social norms and time constraints (get your job done)
  • apathy over the status-quo (we’re stuck using tools and processes that don’t work well)
  • “accepted wisdom” (such as multifactor authentication is secure and prevents breach)

Unless leadership takes an honest look at the internal rules, tools, and policies that create apathy, confusion, stress, and mistakes, employees will continue to default to habit in order to get their job done. Enterprise cybersecurity risk is a different animal than other kinds of risks. For example, weather can be a risk but it doesn’t psychologically target your staff with persistence and ever-evolving sophisticated tactics.

How do you increase adaptation and compliance, dispel complacence, and support user-friendly Zero Trust policies and tools that actually engage and empower employees, rather than relying on punitive, aggravating measures?

Cognitive bias, power hierarchies, and lack of clear communication, collaboration, and feedback are underlying root causes of human mistakes that create serious cybersecurity risks. Check out our recent articles on the important topics of cyber resilience, human bias, collaboration, and innovation:

When it comes to change, leadership must set the example, promote honest feedback, and be accessible. Teri Green, a former CISSP Chief Information Officer at Normandy Schools Collaborative and founder of her own cybersecurity firm, said that to help her team cope with difficulties she began leading daily mindfulness sessions, according to the article Using Mindfulness and Authenticity to Lead Tech Teams.

Green said she believes we have to push ourselves and, “I’m a firm believer that life begins at the end of your comfort zone.” She emphasized:

“When considering how people decide to do one thing or another, it all comes down to seeing and believing. When leaders show up, they need to show up as the individual they wish to see.” 

If cybersecurity is a top concern of your organization, then your employees must see it and feel it by the inclusive actions of your leadership. These actions may include cross-departmental collaborations and feedback, funding user-friendly automation that reduces tedious work, stress, and mistakes, or by making cyber awareness an ongoing and meaningful part of your culture and personally relevant in daily decision-making.

For example, Washington, D.C.-based Children’s National Hospital implemented a code that signals staff to unplug or turn off internet-connected devices to mitigate cyberattacks. Nurses, physicians, and staff members are educated and empowered to look for suspicious activity on technology devices and then report it to the hospital security staff, who would would then send the “code dark” signal to all staff. All hospital staff members carry cards with “code dark” steps on lanyards.

A National Need to Change Organizational Dynamics

The serious nature of cyberthreats has brought our nation to the point of recognizing there have been systemic and mental biases hindering information and idea flow between individuals, organizations, and hierarchies.

The newly released Cybersecurity and Infrastructure Security Agency’s (CISA) 2023-2025 Strategic Plan is working to break down barriers and hierarchies in order to promote a new model for innovative collaborations. A few of the stated key areas of focus include:

  • “CISA must lean forward in our cyber defense mission toward collaborative, proactive risk reduction. Working with our many partners, it is CISA’s responsibility to help mitigate the most significant cyber risks to the country’s National Critical Functions, both as these risks emerge and before a major incident occurs.
  • We will strengthen whole-of-nation operational collaboration and information sharing. At the heart of CISA’s mission is partnership and collaboration … We will succeed because of our people. We are building a culture of excellence based on core values and core principles that prize teamwork and collaboration, innovation and inclusion, ownership and empowerment, and transparency and trust.”

The White House also released the Strategic Intent Statement for the Office of the National Cyber Director (ONCD), focusing on collaboration and innovation between the public and private sector, which states:

  • “Individual cyber hygiene is important and personally laudable, but systemically inadequate … [The ONCD] will improve public-private collaboration to tackle cyber challenges across sectoral lines. It will align resources to aspirations by ensuring U.S. departments and agencies are resourcing and accounting for the execution of cyber initiatives, assets, and talent entrusted to their care, and considering all possible future such requirements … 
  • We must “crowdsource” our ability to identify and stop transgressors in much the same way they crowdsource their exploitation of us.”

Key phrases from the two plans above are “innovation and inclusion, ownership and empowerment” and “crowdsource” for innovation. For too long there has been implicit bias around a belief that good ideas come from having the “right” educational background, experience, or titles. Now with the Great Resignation, looking outside normal hiring channels is critical to fill the cybersecurity workforce shortage.

Young hackers have become a force to be reckoned with and it’s worth considering how their abilities can be proactively mentored and validated in positive ways. The Lapsus$ teen gang has been behind many major breaches like Uber. On the flipside, former teen hacker Marcus Hutchins turned from the dark side to become a Jedi-like white hat hacker and personally stopped the 2017 global WannaCry ransomware attack in just hours.

Maybe we need people like Marcus Hutchins performing outreach on the dark web to help lead misguided, attention-seeking hackers into the light (hackers and their families need critical infrastructure like utilities, water, and hospitals too). It’s time we consider new ways to crowdsource talent and innovation by looking beyond college graduates, long resumes, and organizational hierarchy. Our world may depend on it.

Breaking through barriers means you approach problems with curiosity and a willingness to experiment and do things different – just as athlete and student Roger Bannister did in 1954 when he broke the four-minute mile when people thought it was impossible. Bannister researched the mechanics of running and trained using new scientific methods he developed. He went on to become a neurologist.

Removing organizational barriers to positive change must include reducing rigid mental bias, information blindness, and inertia that lead to poor decisions. Collaboration and crowdsourcing can help to identify innovative tools and policies needed to improve cybersecurity.

The Importance of Human-in-the-Loop Automation

With growing masses of data being generated in the world today and staffing shortages, solutions that use automation are necessary to implement Zero Trust. Automation will help identify and properly process and protect essential data. Automating tedious tasks reduces human mistakes from data overload, and can also increase job satisfaction with humans focused on higher-level strategic and creative tasks.

In reality, “human-in-the-loop” automation has existed for thousands of years. The first water wheels for crop irrigation, grinding grains, and supplying village water date back to ancient Rome. Today, washing machines, lawn mowers, cars, and indoor plumbing all help automate daily tasks for humans.

A current big area of development in data and process automation is artificial intelligence (AI) and machine learning (ML). However, understanding its benefits and risks can be confusing because those are blanket terms describing a number of different, developing technologies that have cybersecurity applications. It is important that as a nation we define beneficial use cases of AI/ML automation while also clearly delineating where AI could become a cyber risk itself.

Regarding risks, there are concerns over how some forms of AI are being ethically developed and how cyber attackers are using it. These are valid concerns because individual humans program AI. Each of us has our own values, and other nations or cybercriminals also have their own value systems. All of these value systems are very diverse and contain much bias.

No one has conclusively described cognition. Researchers and psychologists continue to broaden cognition to expanded ideas around identity and how we make decisions. Some of these research areas include quantum cognition and embodied cognition. If we don’t fully understand how our own minds, bodies, intuition, and feelings work together, a human-programmed AI may not behave in the way we expect.

In fact, the National Institute of Standards and Technology (NIST) has created several discussion documents and has been asking for feedback on AI risks, specifically to examine the often hidden risks of human and systemic biases that could be programmed into AI.

Check out the important document, NIST Special Publication 1270 – Towards a Standard for Identifying and Managing Bias in Artificial Intelligence, which shows an iceberg representing below-the-waterline, Titanic-style human and systemic bias that is overlooked.

Autonomous AI that is programmed to take action for us is a cyber risk, conjuring up ideas of movies like The Terminator or The Matrix. An AI programmed to be efficient might not be counterbalanced with human traits that know efficiency is not the correct path in every situation. In fact, the article “Will Artificial Intelligence make humanity irrelevant?” outlines why AI can’t, and should not, take the place of human oversight and decision-making.

It is of vital importance that humans remain “in-the-loop” and not release AI on its own recognizance. We should be concerned if any nation or threat actor is planning on releasing some type of autonomous AI onto connected networks that could spread like a digital pandemic.

The AI described above is different from intelligent automation technologies that are available now that have important benefits, including human-controlled data and process automation technology. Just like how washing machines and modern plumbing automate laborious tasks, AI/ML data processing automation (with a human-in-the-loop) can be very helpful in reducing tedious tasks to free up human time to focus on the big picture and creatively solve problems.

AI/ML data discovery and classification and intelligent document processing allow security and data management staff to index petabytes of unstructured and structured data in order to identify, assess, tag, workflow, and correct risks in your data estate. Some security technologies also use AI to remove false positives and provide more accurate modeling. All of these technologies are of real value to automate monotonous, mistake-prone data tasks and allow humans-in-the-loop to make faster and more informed real-time decisions.

Two recent reports were developed on how to implement Zero Trust and both identify challenges that illustrate the usefulness of automation for data visibility, inventory, and management.

The first is the Draft Report on Zero Trust and Trusted Identity Management from the President’s National Security Telecommunications Advisory Committee. John Kindervag, who helped define Zero Trust while at Forrester Research, was among industry leaders who wrote the report as part of the committee.

According to this report:

“some federal agencies (and many private sector organizations) lack basic visibility of the data, assets, applications, and services in their organization, and as a result, are not yet ready to begin their Zero Trust journey” 

The World Economic Forum created a community white paper, The ‘Zero Trust’ Model in Cybersecurity: Towards Understanding and Deployment that aims to demystify zero trust. One challenge it points out is:

“[Zero Trust] requires organizations to have a detailed inventory of applications, data assets, devices, networks, access rights, users and other resources. 

The paper goes on to say, “However, in order to know what to verify, cyber leaders need to clearly identify what the “crown jewels” are that they need to protect. To that end, an essential part of the shift to Zero Trust is understanding and mapping the valuable critical data, assets, devices (such as laptops, smartphones and IoT devices) and other resources.”

Identifying and understanding all your data assets is a foundational step in ensuring that they are both protected and that staff are using quality data sources – “true data” – when making important decisions. Recent Forrester research also found that not doing sufficient data discovery and classification caused Zero Trust microsegmentation project failures.

A healthy organization should be using data discovery and classification to perform a baseline inventory and assessment of data assets to identify and remove hidden risks to essential data used for decision-making. It’s also critical that after baseline you continuously monitor the data estate for changes that might affect data safety or usability.

Understanding what’s in your data estate, identifying past data-handling mistakes, reducing PII and business intelligence risks, and organizing data for quality analytics will help your organization make more informed data-based decisions going forward that support future growth.

Do you know what and where all your data is? Can you monitor changes to your data estate? Is there unencrypted business intelligence or PII data that should be protected? Do you have legacy and over-retained data that should be moved or deleted? Are analytics solutions incorporating all important data?

Comprehensive AI/ML data discovery and classification and intelligent document processing enable safer digital transformation by indexing all unstructured and structured data living in your data stores. Manage your data estate with tagging, filters, and federated search to correct mistakes and misfiled data, protect any exposed business intelligence or PII, and empower your data analytics solutions. Keep it that way going forward with ongoing, automated monitoring.

You can test out data discovery on your own data with a free 1 TB Test Drive of Anacomp’s D3 AI/ML Data Discovery Solution.

This article is an updated version of a story that appeared in Anacomp’s weekly Cybersecurity & Zero Trust Newsletter. Subscribe today to stay on top of all the latest industry news including cyberthreats and breaches, security stories and statistics, data privacy and compliance regulation, Zero Trust best practices, and insights from cyber expert and Anacomp Advisory Board member Chuck Brooks.

Anacomp has served the U.S. government, military, and Fortune 500 companies with data visibility, digital transformation, and OCR intelligent document processing projects for over 50 years.