Phin Security

Navigating Human Vulnerability Management as an MSP

In this episode of Gone Phishing, Connor Swalm, CEO of Phin Security, explores the challenges MSPs face in managing human vulnerability to social engineering, emphasizing that despite the apparent simplicity of teaching people to recognize threats, deeply ingrained human behaviors, psychological factors, and resistance to change make building effective human vulnerability management programs complex and difficult.

Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.

I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing.

Hey, everyone, and welcome back to another episode of Gone Phishing. I am your host, Connor Swalm, CEO at Phin Security, and I'm following on from the last episode I did, which was when I talked about why human vulnerability management should matter to everyone, why it's applicable to all of us, not just me who likes talking about it a bunch.

If you haven't seen that, I'd highly recommend you go take a look at that to give you a little bit of context to what we're going to talk about today.

Because one of the concepts that I mentioned in the previous episode is: all right, great. This doesn't sound like an incredibly complex thing to do—to teach people to recognize social engineering and prevent theft in their own lives and in their business. So what is the difficulty with actually building human vulnerability management programs and actually helping people understand what's going on?

I have a couple of things. Some of them touch on psychology. Some of them touch on human behavior. Some of them touch on the world we exist in. And, well, changing the world is, while the goal of many, it is incredibly hard. So that's why things are the way they are sometimes.

Why Is Human Vulnerability Management So Difficult?

1. People Are Set in Their Ways

Probably most obvious is we as people are typically set in our ways. The saying, "well, it's always been done this way," exists for a reason. If people are used to doing certain things, if they're used to interacting with certain people in certain ways, then it's very likely that they'll continue to act that way and to interact in that way.

We as a group, at least here on the East coast in America, are set in our ways. We don't like to change. Change is really hard in a lot of ways. So it's very difficult to convince somebody, "hey, the way you're acting, the way you're talking, the way you're interacting with yourself and others and your community and your business and your coworkers (insert any other group of people) is creating risk."

If you try to convince somebody that the way they're acting and the things that they're doing and the way they're saying it create the risk that somebody is able to socially engineer them out of their money, access, or information, they're typically kind of turned off to that whole concept.

When I was in college studying math, and I tried to talk to people about the math that I was studying because I really enjoyed it, the conversation was over before it got started. I may have enjoyed it, I may like it incredibly, but I recognize that almost nobody else did. And their mother, their brother, their uncle, their friend they haven't talked to in, like, nine years will be calling them from the next room. Conversation will be over before it started.

I see a very similar thing happening in not only security awareness, but cybersecurity in general. If our goal as practitioners is to communicate in such a way that the average employee or average folks, in terms of cybersecurity expertise and desire to learn about cybersecurity, if we're talking to them in such a way that they don't want to talk back, we're at a loss. We're already starting off on the wrong foot, and we're not helping people change themselves.

2. Compliance Drives Security Awareness, Not Security

The second thing that I see, specifically in my industry (security awareness training), is that compliance has driven a lot of this industry so far. Teaching people to recognize social engineering, to recognize when they're transmitting and storing information improperly, to recognize when somebody else is stealing company secrets or insider threats, has pretty much been largely driven by compliance frameworks like NIST 800-171. There's now the invention of CMMC, and that's consistently changing. Cyber insurance is now getting in there as well, and recommending and also enforcing—at the drawback of your policy getting canceled if you don't do certain things—they'll cancel your policy.

A lot of this industry, teaching people to recognize things, has been driven by frameworks that are very good at mandating compliance, but not 100% of the way there at creating incredible security. In the same way that the law here is supposed to be an approximation for morality, compliance is an approximation of security. It's not quite the best thing for every organization, but it is a great thing to aim for and start at. It's a great starting point at the very least.

When we're at a point where compliance has driven this, compliance has to factor in all sorts of vulnerability that companies are exposed to, whether that's the total amount of risk that they actually have. Maybe they collect people's Social Security numbers, maybe a business collects people's Social Security numbers or banking information, as opposed to other people who might just have first and last names. The value of Social Security numbers and banking information creates a much larger risk for that organization than just a list of first and last names as a result of the value of that information in the open world, where people are willing to buy things that have been stolen.

All sorts of other things go way beyond humans and organizations, such as the technology that they're using and how broadly spread out they are. Do they let people work from home? Do they have multiple office locations? Do they lock their doors at night? All of these are typically factored in—like physical security stuff—are all factored into compliance in most ways. If you want to get a SOC 2 certification, that's compliance. It's kind of like a compliance framework that you have to be adherent to, but it's our best approximation for security.

What I mean by it's difficult building human vulnerability management is because this would be in a very specific subset, which is humans and the way humans interact with each other and other technology. Human vulnerability management focuses on just that one small piece, and that is a small piece of clients overall. Convincing any governing body that we need to focus on this incredibly small subset of security issues is difficult at times.

3. No Framework for Human Vulnerability Remediation

The third thing that I also talk about regularly is there is no built out framework for properly identifying and then remediating vulnerabilities that humans demonstrate.

To give you an example: a vulnerability a human is going to demonstrate is—like the most pedantic example that's relevant here—people clicking on phishing emails. Let's say your office manager is working, and they get an email or a text message from the CEO saying, "Hey, I need you to go buy credit cards." Some of you may be laughing, thinking, "Nobody would fall for that." I promise you, people do. It still happens. They're still vulnerable to that kind of thing. Even a lot of my employees are getting texts like that when they come on board. So it's still something that is clearly resulting in actual people losing actual money.

NIST has a framework for identifying and remediating vulnerabilities in technology and software. You assess for threats, you validate they exist, you prioritize the ones you just validated, you remediate those prioritized threats, and then you verify the remediation occurred. So it's this five-step process:

  1. 1.Assess
  2. 2.Validate
  3. 3.Prioritize
  4. 4.Remediate
  5. 5.Verify

That is a pretty well-defined structure for identifying and fixing vulnerabilities that exist in security tools or businesses in general. I would like to take that model—those five steps—and apply that to humans. Today, we maybe have half of the first step, half of "assess," right? Whether that's through onboarding employees by asking them security questionnaires or trying to phish them and teach them what phishing looks like. We have half of this assess step, but we don't then validate the individual risks that individual employees pose. We don't prioritize what we validated, and then as a result, we can't remediate nor verify remediation occurred.

The difficulty in building human vulnerability management is we need to take a framework like the one I just identified, where it's built out and applied on a daily basis by thousands and thousands of organizations to identify real vulnerability in businesses. We need to take that and transplant it into the way we assess and remediate vulnerabilities that humans demonstrate, whether that's improperly setting a password, not being willing to turn on MFA, clicking on phishing emails, or letting people walk through the front door who haven't quite badged in (tailgating).

There are people who are skilled enough at social engineering that they plan for those kinds of things to happen—for those employees to think they're just being nice and to wait by a door with a box in their hands and say, "Hey, can you just hold that open for me real quick?" But that represents a vulnerability in that person who left that door open, because what they should have done is properly apply the organization's physical access rules, which is everybody badges in or checks in with the front office or whatever it ends up being. There are all these vulnerabilities.

The Crux of the Issue: Changing Human Behavior

At the end of the day, we're identifying behaviors in humans—us—that we would like to change. And how hard is it for you to change your own behavior, let alone have somebody else change their behavior? If any of you have kids or a significant other, it's like changing other people's behavior is quite possibly one of the hardest endeavors anyone will ever start trying to do.

I'm not saying any of this is going to be easy, but the biggest difficulty in actually creating human vulnerability management is people need to change their behavior. The only thing that actually reduces the risk of a human-involved breach is actually if they change their behavior, and as a result, that risk no longer exists. So the only way to properly mitigate the risk is to remove their behavior and change it, which, as we just said, is incredibly difficult.

So that is kind of the crux of the issue: getting people to change, let alone myself or anyone listening, is hard. Getting others to change is even harder.

That's what I wanted to bring you all today. We talked about what the difficulty of human vulnerability management is today.

A talking track that I often get looped into is: why should individuals care about this? Isn't this a business thing? They got cyber insurance, they get all these fancy security tools and whatnot. Only businesses should care about this.

Actually, on our next episode, what I'd really like to do is explain why should individuals care about this? Why should an average person—maybe they work from home, maybe they work for themselves, or maybe they work at a large organization—what is your own behavior? What is the risk that you are introducing into your life? Whether that's the risk of identity theft, or the risk of money getting stolen, or impersonation, or anything like that, you're introducing, and why should you care about changing some of your behaviors to reduce your personal risk?

I might have some things that you haven't quite thought of before, so I'd highly recommend you come check that out.

Once again, I'm Connor, I am the CEO of Phin Security, and I am your host on Gone Phishing. I look forward to seeing all of you next time.

Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin Security at Phinsec.io. That's P-H-I-N-S-E-C io. Thanks for fishing with me today, and we'll see you next time.