When it comes to cybersecurity and protection, it’s easy to blame the individual. But what are more effective methods to counter human risk? Joining Harris Schwartz for this episode is Mark Sangster. Mark is the Chief of Strategy for Adlumin. He is also an award-winning speaker and the author of No Safe Harbor: The Inside Truth About Cybercrime and How to Protect Your Business. Mark talks about the biggest security concerns for businesses and the challenges surrounding them, emphasizing the executive perspective on dealing with such issues. He also discusses solutions that encompass the process and the culture of the organization. Cyber security isn’t just a concern for security leaders. It’s important to create that understanding with executive leaders and down to every employee in the organization. Stay tuned for more of his insights and tips to protect your business better.
—
Listen to the podcast here
How To Protect Your Business And Counter Human Risk In Cybersecurity With Mark Sangster
Thank you for being a guest. You’re our first inaugural guest on the show.
I am honored.
We’re starting. How about giving us an overview of your background?
I’m the author of No Safe Harbor: The Inside Truth About Cybercrime and How To Protect Your Business. I also serve as the Chief of Strategy with Adlumin Inc. I’ve spent about 25 years in the security industry. In the last decade or so, I’ve been around things like where is product innovation coming in and where we think we need to move but more giving an executive view. I was working with boards and the C-Suite to help them understand that cybersecurity is not an IT problem to solve but rather it’s a business risk to manage.
That’s interesting that you say that because that’s going to be one of my questions. I don’t know if you saw it but there was a survey by Gartner of CSOs. I forget how many CSOs were surveyed. They were talking about what are their top five goals for 2022. Some of them mentioned cloud, third-party risk, communicating risk, and the typical things that we continue to see year after year. What would you say is your biggest security concern or challenge?
For me, a lot of companies in leadership operate under a bunch of misconceptions. You can read them in the headlines post-breach like Colonial Pipeline, a major data breach, or a ransomware shutdown. It’s the basics. We’re not a target. We’re too small. We’re not a bank. There’s overconfidence in what the campaigns look like from the adversaries. They’re like, “I know if I see something that tells me I need to click a link to update my bank account information. I’m not going to fall for that.”
Ignorance isn’t bliss. It’s potential negligence.
What they don’t understand is that the lures are far more elegant than that and a lot more difficult to distinguish from legit traffic. There’s that fatalistic thing, “We can’t stop a ransomware gang or a nation-state. There were no signs before the attack.” It’s like, “There were hundreds of signs before the attack.” I sum that up as ignorance isn’t bliss. It’s potential negligence. That negligence is only capped by the creativity of the plaintiff’s lawyers. That’s unfortunately what we’re beginning to see play out.
I’m going back to your comment about security being a business issue and not an IT problem anymore. Thinking back, most CSOs and the C-Suite do understand that cybersecurity is a business issue. It’s not just IT. What would you say is the biggest challenge you’ve seen in terms of improving security along those lines?
While it pervades the headlines, it has pervaded the boardroom as well. There is some understanding there. I certainly urge people to read The National Association of Corporate Directors’ Handbook on Cyber-Risk because it goes into what your obligations are under fiduciary care and so on. I still think one of the biggest things we face is communication barriers between the technical teams, the security experts, and the non-technical leaders. Unfortunately, a lot of security leaders still talk in 1s and 0s and business people talk in dollars and cents.
That’s what they’re looking for. It’s being able to up-level your language. Stop talking about firewalls, policies, and rules and start to think about this in terms of what risks face the organization. What assets do you have? What are the obligations that go along with those assets? What’s the worst thing that could happen from an operational perspective like ransomware shutdown or something along those lines? Work backward from those objectives as any other part of the business would.
The C-Suite comes out on an annual basis and says, “Here’s the budget and our sales targets.” Everyone works back to say, “I’m going to build my bottom-up budget regardless of my function to meet those objectives.” In security, we’re still lacking that Rosetta stone a little bit. To some degree, I wouldn’t call it mistrust because it’s not but there’s almost a lack of rapport. When you and I worked together, I know exactly where you were coming from. When I asked you a question, you give me an answer. I’m going to believe it. When we don’t establish that connection, there’s that trick.
When I ask you how bad this situation is and you go, “It’s terrible. We better disconnect the internet,” I’m like, “You’re saying that because you’re a doomsday prepper or you’re prone to a bit of exaggeration. You get a little excited in these moments.” Is that even an understatement in some ways? It’s far worse than you’re making it sound because you want to downplay it. You’re worried that your job is at risk. We have to work together to create that bond and realize everybody’s in the same boat. We sink or swim together.
That’s a great overview or thought on that particular subject. It’s pretty big. We’re switching gears a little bit. I want to talk a little bit about insider threats. That’s a pretty big topic nowadays. It’s interesting that a lot of the industry reports including the DBIR that came out are now highlighting the fact that the human element is the issue, and then again accidental and unintentional. We used to call them negligent insiders. They are the cause of the majority of the incidents and things. What are your thoughts?
The old PEBCAK problem exists between the chair and the keyboard. When we start to talk about inside risks, they all jump to the Jason Bourne type, “It’s this malicious actor or somebody who’s being extorted and blackmailed.” It’s not. It’s mostly unwitting accomplices who through deception are taking advantage of the goodwill. They’re tricked into whatever action it is that the adversary wants them to take. That is still the case. Most of them don’t understand what the risks and the real threats facing them look like?
As a specific employee and function within the company, they don’t understand how that might affect or skew the way they’re going to get targeted. They look and go, “I’m just some junior finance person.” Everyone in finance thinks of money, “I’m somebody in marketing. Why is some criminal going to try and come after me? They’re going to go after Harris.” That’s where people don’t understand that. At the end of the day, we often blame the person or the human too soon.
There’s a gentleman, Sidney Dekker. I’ve read a lot of his research on aircraft accidents. He talks about that. When you blame the human, you lose the opportunity to understand all the real causes. At the end of the day, you can bring it back. It’s the board’s decision to not release the budget for certain security tools that left the gap.
People didn’t have enough time to patch a server, they weren’t trained properly, or they click on a link or do whatever. At the end of the day, the biological DNA is on there. I don’t think we have put enough focus on that. There’s this assumption, “If we put a better lock on the door, somehow we don’t have to worry about the people inside being deceived.” That has failed up to now.
I do think that people are rushed to judgment along those lines. We have seen that. Even the reports talk about it. It’s a very small percentage of humans or users that are causing the majority of the incidents, breaches, data loss, and ransomware. It’s not everybody but I do agree that there needs to be more focus on this. Maybe incorporate this as part of their overall security risk assessment. You’re supposed to be looking at people, processes, and technology. Why not look at people?
When you blame the human, you lose the opportunity to actually understand the real causes.
In business, you think of all those Myers-Briggs, Birkman, the colors one, and all those personality tests. It’s like, “I understand your personality, Harris. I can look at how my personality, where we work well together, where we’re going to clash, and all that stuff.” We lacked that on the cybersecurity side to be able to say, “Mark thinks he’s smarter than the bad guys. That’s how they’re going to trick me. It’s with something clever. I can outwit them.” Unfortunately, it’s double-blind. I get trapped or it’s somebody else that’s the super do-gooder.
We yell at them. We know they’re going to start clicking, downloading, purchasing, or doing whatever we wanted them to do. I don’t think we take that into consideration. We spend an awful lot of time blaming. There are a couple of biases that I talk about in my book. I talk about things like hindsight bias and outcome bias. Hindsight bias is the notion, “Now that I know that bad outcome, I could have seen it coming. I would have predicted it and wouldn’t have been that dumb. That was obvious. That was fake. Now that it has blown up our entire company, I would have never clicked on it.”
The outcome bias is like, “This has caused this great disaster for our firm. Somebody needs to get fired.” The problem with that is it all gets wrapped in the third one, which is time bias. We blame the last event. The kicker in the dying seconds of the game misses the field goal. We’re all mad at that bum for not making the kick. We don’t think about the rest of the game, bad plays, and all that stuff. That’s it. We’ve got to go back, systemically look at it from a risk perspective, and say, “A finance person is going to have access to wire transfers and bank accounts.”
What other controls can we put in place to mitigate that risk? We can’t completely eliminate it but how do we reduce it? Even if they do make a mistake, there’s somebody else on the ledger taking another look or an IT. How do we track patching? If something is overlooked, there’s another set of eyes. It’s a bit of air traffic control or casino security. You want to have multiple sets of eyes, dealers, pit bosses, and people up in the office with all the cameras. That greatly reduces the risk. Up until now, we do a great job at yelling at people. We don’t do much to empower them.
One of the topics that I find very important if I look back into some of my consulting days and whatnot is the topic of cyber resilience, readiness for incidents, and things of that nature. I still think that there are a lot of companies out there that are missing the mark, whether it’s an actual incident response plan or even business continuity and disaster recovery. They’re not testing that type of thing. What are some of your thoughts on this subject? What do you think?
The concept of business continuity and resilience has changed. Here are some examples that I’ll give you. We think about New York. There’s the tragedy of 9/11 and a terrorist attack. We thought a business continuity meant, “We better back up on the other side of the river and make sure that people can work remotely.” Hurricane Sandy years later rolls through, flattens everything, and floods out Lower Manhattan, “All the banks are down a second time.” It becomes, “We better be more geographically dispersed.”
We have COVID. Everyone moves to remote work models. That throws yet another wrench at us. It wasn’t the first time. It’s never going to be the last time but the big difference here when it comes to resilience is understanding that there is somebody out there who wants you to fail. This isn’t, “We got hit by a hurricane or a forest fire.” This is, “Somebody set the fire to burn down our building.” We have to think about it differently. I see that a lot with executives when I’m working with them. There’s this overconfidence in their resilience and the notion that their team will respond.
They’ve got smart and talented people. Their backups are going to work. Their insurance is going to cover them. They don’t understand that it’s like, “Your people may be good at their job but they have never been through this kind of stress test.” With your backups, one of the big gameplays for all criminals is the impairment of defenses and disabling or poisoning them. You may not be able to rely on them anyway.
The bar on insurance has gone up dramatically. You have to prove the duty of defense. Premiums are doubling or tripling. It’s not that the coverage is decreasing but we’re almost going back to the old days of buying a car, “Did you want air conditioning? That’s another fee. Did you want power windows? That’s another fee.” You’re going back into having those riders again because those companies have been burned. The best test is to have been under live fire and had to face one and see how the company responds.
The second to that is, “Are you practicing? Are you going through this on a regular basis? Are you looking at real-world scenarios and not oversimplified ones? Have you tested it? Did your executive show up to all these lunches and learns when you’re doing tabletop exercises? Were they too busy?” When it hits the fan, we’re back to square one because everyone else is prepped and they’re not. That’s where we have to think about it more broadly.
Frankly, if there was a regulator sitting on top of them telling them that they had to do it, they would do it. We don’t have that. In security, where we lack is look at healthcare or the airline industry. You have public boards that govern them, investigate accidents, identify all of the contributing factors, and make recommendations and legislative arms that then enforce them. We have this continuous improvement cycle. Airline safety has improved dramatically but in cybersecurity, we don’t share information. We settle deals behind closed doors.
None of us truly know what all the details of the Colonial Pipeline were, except for the bits that got leaked out. You’ve got a friend in law enforcement who told you something that they heard from somebody. Unfortunately, there’s that lack of content to give us that vicarious learning. It means if you’re not practicing and preparing on your own, it’s a lot worse than you think it is when you walk into work and all the files are gone and there’s a script left or a text file left behind that says, “Conti came knocking on the weekend. You’re down.”
What other controls can we put in place to mitigate that risk? We can’t completely eliminate it, but how do we reduce it so even if they do make a mistake, there’s somebody else on the ledger taking another look?
Even thinking back to when I was at organizations, it’s so important to have that executive support and even sponsorship of cybersecurity so that the decisions are coming from the top and down. You get a better play that way with the workforce, “The CFO is behind this. We have to do it.”
It’s hard when you see the C-Suite refuses to use two-factor authentication or they don’t have a password on their iPad because that’s a nuisance. You’ve got all these restrictions in place. People look at it and go, “Leadership does flow from the top.” Creating that culture starts in the boardroom and flows down through the C-Suite, the executive level, into the management, and so on. Otherwise, you have people that don’t take it seriously.
Here’s one last question for you. Are there any other key takeaways for the audience that you would like to mention?
When it comes to dealing with insiders and the threats that we humans face, you’re better off empowering employees and not compelling them. I used to joke that a lot of security awareness training was the IT’s Ten Commandments, “Thou shalt not click on a download. Thou shalt not download a file. Thou shalt not open an email from an unknown sender.” The unfortunate thing is when it’s compliance, we’re checking a box.
A lot of companies can be 100% compliant and 100% owned at the same time. It’s more about empowering them and helping them understand, “You’re right. You’re this junior employee but if we got your creds, I can use that to fool a C-Suite person.” I’ve got their credentials. I can move up the stack. I’m off to the races. I’m going to shut you down with ransomware by the end of the weekend.
It’s helping them understand that because there are things we can do in getting out of that fatalistic, “If a big ransomware gang is calling, a nation-state, or something like that, who are we to stop them? We’re some small company in the Midwest.” That unfortunate viewpoint leads to these continuous attacks, whereas if you realize, “There were plenty of signs ahead of time.”
It’s simple things like two-factor authentication, proper password hygiene, training your employees, and understanding who would be most at risk and helping them be more prepared. You can’t eliminate everything but you can teach them to swim before they go to the beach. You can do basic stuff. Put on your seatbelts and don’t be distracted while you drive. It doesn’t eliminate all the risks of a car crash but it certainly improves your chances if one happens.
I appreciate your time, Mark. You’re on the East Coast. Thank you for your time.
It’s my pleasure, Harris. It was great chatting. I hope we can do more work together in the future.
Important Links
- No Safe Harbor: The Inside Truth About Cybercrime and How To Protect Your Business
- Adlumin Inc
- The National Association of Corporate Directors’ Handbook on Cyber-Risk
- DBIR
- Sidney Dekker
About Mark Sangster
Mark Sangster is the author of No Safe Harbor: The Inside Truth About Cybercrime and How to Protect Your Business. He is an award-winning speaker at international conferences and prestigious stages including the Harvard Law School and RSA Conference. Mark has appeared on CNN News Hour to provide expert opinion on international cybercrime issues and is a go-to subject-matter expert for leading publications and media outlets including the Wall Street Journal and Forbes when covering major data breach events.