Shaping the Human Aspect of Cyber Defense
In the Gone Phishing podcast episode, Connor Swalm, CEO of Phin Security, discusses the pervasive and underestimated cybersecurity risks faced by individuals and businesses alike, emphasizing that human vulnerabilities and the false separation between personal and professional digital security contribute significantly to successful social engineering attacks and data breaches.
Transcript:
Connor Swalm:
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing.
Hey, everyone, welcome back. It is Connor, CEO at Phin with another episode of the Gone Phishing podcast. It seems like every day there are new reports of breaches or passwords getting stolen or big companies coming out and saying there was a data breach. This seems to be happening all the time now.
A lot of folks in the security space, myself included, are somewhat aware of the risks and the dangers at hand, and how big of a problem cybersecurity actually is, specifically for American businesses. But it seems like the average individual who's not really interested in cybersecurity, or if we want to call them cybersecurity tangential or tertiary, doesn't understand the gravity of the situation we're in—how likely it is for companies to get breached, how damaging that could potentially be, not only for themselves as individuals, but also for their business that they work at, or maybe that they own.
There's also this concept of, "Once I close the corporate laptop and shut off the company phone, I'm not going to get attacked, I'm not going to get breached. My identity is safe, or my bank accounts are safe, or something bad isn't going to happen." So there's this weird separation between personal life and professional life where hackers do not care.
Obviously, businesses represent a larger financial gain if they're able to attack them properly than an individual in most cases. But people are still not necessarily the direct target, but stealing passwords and Social Security information and banking information and other financial information such as credit cards for millions, hundreds of thousands of people at a time, that's still a really valuable set of information for a lot of malicious actors that would like to get access to that.
So what needs to happen in order to relay the gravity of the situation and what we all need to do together to an individual, so they understand it and they're bought in, and we can all be a little more secure together? What do I think needs to happen?
First and foremost, we need to start changing employees' behavior—or changing anyone's behavior, not just employees. Changing human behavior is quite possibly the most impossible task anyone will ever set out to do. So I'll caveat this entire episode with that statement, but it is what needs to happen in order for greater security to be put into place. Most of the risk—88% of breaches involve the human element, according to Verizon's Data Breach Investigation Report. I quote that all the time. I have some disagreements with the way that stat is created, but I'll use it here because it makes my point conveniently.
If 88% of breaches are a result of the human element, then it makes sense that 88% of our efforts should go to reducing that amount. Most of that is human behavior, if not all of it. Whether it's leaving your laptop unlocked and somebody doing something, plugging in a malicious USB trap you found in a parking lot, writing bad code that has a flaw in it, improperly setting up a firewall, clicking a phishing email, listening to a voicemail from the IRS saying they called you and you owe them money—whatever it is, all of this risk is a result of a human doing something that they knowingly or unknowingly shouldn't have done.
So all of reducing that 88% is just in the act of changing human behaviors—either taking good behaviors and making them better or taking bad behaviors and removing them. The first thing: convincing people that their behavior needs to change in the first place is almost impossible. Nobody likes to be told that they're behaving incorrectly or that they're doing things wrong, and as a result, they need to change the way they're doing things. Nobody likes to hear that on a regular basis. So getting people to buy into the fact that, "Hey, we're doing things incorrectly and we need to do them differently," is just hard, especially when talking to average employees or those with an average level of technical ability and telling them they need to behave differently. Most people use incredibly complex technical terms and analogies, saying, "You need to do all of these things just because." That's usually where it ends. Nobody's going to want to change their behavior because someone told them. Maybe they will if their boss does, but they'll do it begrudgingly, not necessarily because they want to.
Convincing people that any of their behavior needs to change is hard. The second part is, once you've convinced them that they need to change their behavior, now you need to convince them that the behavior you're recommending is actually better. They're going to start analyzing what you're asking them to do and what they did before and start having questions: "Why do I need to do these in the first place?" For example, enabling two-factor authentication—"Why do I need to enable this at all? I've never had any of my accounts stolen. That was Susie in another department, or that was seven cubicles over. It wasn't me. I'm not the problem here. Why do I need to change?" They'll start asking themselves questions like that.
This is indicative of a mentality that security practitioners haven't done a great job as an industry trying to enforce out of these folks: we're all on the same side together. We're all defenders trying to make sure the attacker is never right. We're trying to be right all the time, but we have potential risk in all of these behaviors that people exhibit, and we're trying to get rid of them one by one. Convincing them that the behavior you're recommending is better also requires a little bit of skill and an incredible amount of empathy to not only get them to change, commit to changing, and then commit to changing to what you want. All of that requires an incredible amount of communication skills that are lacking in almost everyone, not just the security space in general.
The third piece is you have to actually convince them, "Hey, you're going to be slightly inconvenienced, but this is going to be good for you. I promise. This is going to be good for everybody." There's this notion that someone feels hamstrung by all of these policies or things you're having them do, such as enabling 2FA, needing a second person to authenticate wire transfers, rotating passwords every 60 days, using a password manager, keeping their key card on them at all times to get into the building, and if they lose it, going through a nine-stage process to re-verify who they are. All of these are slight inconveniences that end up creating better security for everyone involved at that organization. Now you have to convince them that inconvenience is also good for everybody. It requires instilling in people this sense of, "We're all on the same side, we need to be doing everything for each other." Instilling that belief in a lot of people is also incredibly difficult.
All of this requires empathy, and that's why it's so difficult. People like doing things the way they've always done. They like doing the most convenient thing possible at their job. They like showing up, doing great work, and being safe while doing it, and that's it. Any slight inconvenience added on top of that doesn't have a perceived good or isn't believed to be best for themselves. It's just not going to come across the line as well as you think it would.
That's one of the things it would take for people to really buy into cybersecurity: we need to start changing the way we talk to them. It's really not your security folk putting in all these blockers that an average employee has to follow. Everyone is a defender on the same side, doing everything they can as a group to make sure that we're all secure. You really need to properly communicate to nontechnical folks that, "Hey, you're on our side, too. We're not against you. We are completely with you. We're supporting you, and we need you to support us as well. It goes both ways."
The quickest way to do that is to actually go where these people are and communicate with them how they'd like. If I were to continue using technical terms with people who are not very technical, or I don't explain what acronyms are, or I don't provide analogies, or even if I'm a bad storyteller—people remember stories, they buy into stories, they buy into people who tell them very well. If I'm not great at communicating in those ways, everything I say just isn't going to land the way I would like it to. So not only do I need to go find these nontechnical people, go to their place of business or talk with them in some way, but then I need to have a certain amount of storytelling and empathy, and I need to be able to drive home that all of these things are really important, that the collective behavior that all of us exhibit creates a certain amount of risk that our business has retained, and as a result, we need to change to reduce that as much as possible.
Something that I see—so I work with a lot of MSPs—something that I see that they could do to help speed this process up is something that happened to me when I was a property manager here in Delaware: you need to properly train people from the very beginning. It is very hard to change someone's behavior after they are used to behaving a certain way. It is much easier to get people to behave how you'd like—more securely—if they don't have previous behavior that they've exhibited. So if you bring on a new client and you tell them your stakeholders are going to be bought in, your management is going to be bought in, you're going to do all these things, you're going to communicate in these ways to your end users, to your employees that work your business, that we're helping you secure—if you actually communicate to them from the very beginning that's what you expect, then you're going to be in a much better place. It's going to be much easier for you.
So what do I expect the future of the security landscape to look like? I could sit here and talk about ChatGPT and AI this and AI that. I'm actually going to go a different direction. I really think that in the future, the best security practitioners and the best people who are able to create the most amount of security and remove the most amount of risk in organizations are going to be the best communicators, the most empathetic, and the best storytellers.
What I see as the future of the security landscape is that the paragons of our industry, or the people who are most beloved and actually generating better behaviors, are not going to be the most certified, the most licensed, or the 40-year veteran of the industry. It's going to be the people who have the most empathy, who are able to connect with the largest group of people because they are better storytellers, charismatic, and more empathetic. Everyone's going to want to buy into that story.
So I think what we're going to see as the future of the industry is more nontechnical folks as members of the cybersecurity industry, who are still going to be very well supported by the actual technical folks who are not only building the tools but are responsible for implementing them properly. But I think what we're going to see is a lot more of an evangelism-style role end up playing out in a lot of companies, tools, vendors, and MSPs. You can have very technical people and then you can have very empathetic people and very charismatic and good storytellers, but the intersection between those two—having both of those skill sets—is incredibly rare.
So what I think the security industry is going to need to create the most amount of good moving forward is actually having more charismatic, empathetic, and great storytellers that are able to communicate to people that are just like them—nontechnical folk who just want to be doing good work and be safe while doing it. They're going to be able to communicate to them properly, go where they are, communicate in the way that they would like, and drive home the point that gets everybody on the same side together. That's what I think we'll end up seeing in the future.
So once again, everybody, thank you for joining me. If you have any comments, questions, concerns, or feedback on what I predicted today, find a way to send me that information. It was a pleasure chatting with you all and I look forward to seeing you on the next episode. Bye.
Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out at Phin Security at phinsec.io. That's P-H-I-N-S-E-C IO. Thanks for fishing with me today, and we'll see you next time.