This post is an introduction to Human Attack Surface Management, a new cybersecurity approach to managing workforce security in the enterprise.
Elevate Security was founded for some very simple reasons.
We’ve spent millions upon millions of dollars on security tools and technology, only to find they simply discover more problems without truly decreasing risk for our enterprises to an acceptable level.
As we dig into the root cause of alerts and incidents, year after year, what we find is a similar story. Our technology investments are not living up to their promises, and almost all of our incidents are still due to human error.
An end user makes a mistake online. Cyber defenses fail. Bad actors attack. Cybersecurity incident occurs. Bad things result. Rinse and repeat.
How have we progressed as an industry over the last decade or so? Well, let’s look back to 2011:
- Globally, the security industry was spending $55 billion a year on technology.
- 300+ security companies
- The very first Verizon DBIR was published that year. Phishing and malware dominated the report.
- 667 breaches confirmed
Now fast forward to 2021:
- Global security spend is expected to be $230 billion
- 3000+ security companies
- The most recent Verizon DBIR is published. Phishing, malware, passwords and other issues dominate the report.
- 5,250 breaches confirmed
What’s changed? We’ve spent more than 4x on security, saw vendors solving security problems grow 10x too, and suffered nearly an 8X increase in breach incidents!
What hasn’t? The same root causes of incidents from 10+ years back. If I were on a board of directors and saw that return on (a massive increase in) investment, I’d be extremely skeptical.
Clearly, cybersecurity has not made the progress as an industry we would have hoped.
Cybersecurity Isn’t Focused on People
At a very fundamental level, the job of cybersecurity is to protect two things: data of course, but also people. Yet our industry of late has argued (and sold myriad solutions) focused on protecting networks, applications, email, endpoints and other systems.
The current cybersecurity vendor landscape has failed us for this simple reason: it’s lost sight of why security teams exist. It has gotten us wrapped up in the latest whiz-bang features and capabilities, chasing the latest technology shifts. “Wow! Look over here! We’ve got AI and machine learning!” Vendors do it all in the name of making money, but have missed the mark on reducing risk for the things you should be protecting.
Humans. Data. Don’t lose sight of that.
Because in a world awash in constant threats, we can feel like we’re running on an infinite hamster wheel. We have constant pressure to increase our security capabilities against an enemy who has a distinct advantage over us. It feels like we’re in a race we can’t win. Sometimes we wish we could just pause and catch our breath!
Someone needed to hit the reset button. That’s one reason why we started Elevate.
Cybersecurity is Causing Business Friction
The 2021 Verizon DBIR proves that human error currently accounts for 85% of breaches.
Because of this, cybersecurity puts a lot of emphasis on protecting our end users from themselves. In fact, we’ve added layers of security to every way they could screw up, from identity to access, browsing to email. The aim of all these tools is to make it more difficult for your workforce to make mistakes. But, it’s often a one-size-fits-all approach to security controls.
The problem is, every time we add another layer of protection, we add FRICTION to the employee, supplier or contractor who is just trying to get their job done. That 10x increase in spend over the last decade has added a LOT of friction to the average enterprise.
A recent research study tracked a 450% increase in end uers intentionally circumventing security controls with the shift to remote work since 2019. Getting anyone in your workforce to admit they do it is something else entirely.
Security teams have become known as the “Office of No”, a dreaded part of the organization that impedes business efficiency. Maybe even more dreaded is that we’re constantly trying to train security into users, expecting that one more video will make the difference. Security training programs and phishing simulations are often regarded as, at best, annoying and at worst, punitive. Our recent report with Cyentia Institute proved them ineffectual at delivering the behavioral change they promise. Once again, it’s a one-size-fits-all approach.
There is a better way to approach this human error problem. One that thinks not in terms of one size fits all tools, technologies, and training, but rather in terms of truly understanding and mapping human risk to business risks. We then need to work on enabling the right sized controls for a given end user at a given time – think Zero Trust for your workforce with custom fit controls. If we can drop these one-size-fits-all approaches, then the security team can be seen as a business enabler that values speed and efficiency as much as the rest of the enterprise.
Someone needs to eliminate the friction. That’s another reason we started Elevate.
What Is the Human Attack Surface?
The mapping of human risk can be expressed as the human attack surface. Human attack surface is the sum total of people’s actions, access, and security controls that impact an organization’s risk.
Let’s examine this definition, because each word holds significant meaning:
- People – full time employees, part-time, contractors, trusted suppliers, seasonal workers, third party vendors
- Actions – what good and/or bad decisions do these people make on a daily basis that improves or hurts your organization?
- Access – what systems and data do they have access to? What levels of access do they have?
- Security Controls – what inherent controls does your organization deploy (or not) that impacts the effectiveness of attack vectors aimed at people?
More deeply it’s about understanding that each and every end user is an individual whose good or bad decisions impact security according to the specific level of access they enjoy. Each successive mistake by a risky human increases their blast radius on the human attack surface, and the individual controls needed to contain them. Controlling for the riskiest people helps to mitigate your organization’s overall level of human risk.
This is both a broad and deep challenge.
Discover more about the unique capabilities of Human Attack Surface Management.