Browsing through any situations vacant for security positions, you will most likely be faced with a barrage of postings for cyber security specialists who have high levels of technical knowledge with a deep understanding of systems and network complexities. The emphasis of corporate security appears to have swung away from physical security, perhaps understandably as the likelihood of a business threatening loss of data is greater than say a hotel being attacked by terrorists which arguably is likely to pose a lesser strategic threat to business – unless of course there had been gross negligence in the security management. Furthermore, when companies lose data, they not only have to deal with immediate impact to stakeholders, but they face very serious, perhaps ‘fatal’ regulatory impacts.
Facing such serious threats and impacts, it is understandable that many companies seek to build their network walls higher and thicker, sometimes gaining false assurance by not acknowledging that the ‘enemy’ might already be within the walls, that the ‘enemy’ have developed a bigger gun or simply that the walls have been poorly constructed. This is a natural response because by and large traditional cyber security is a linear – the technical threat is X, so the defence will be Y. This is nice and simple, third parties provide Y, and may even tell them what X is, so it is just a case of selecting and buying the best Y for the threat circumstances and available budget.
An oversimplification I am sure but this model misses the hugely important ‘H Factor’, the HUMAN factor. Threat actors seeking to breach cyber systems are HUMAN, the victims of cyber crime are HUMAN, employees who ignore or forget to comply with cyber security protocols are HUMAN and the overworked Patch Manager who fails to maintain Patch Management is HUMAN. A cyber defence system that does not give equal attention to the ‘H Factor’ is doomed to almost certain failure.
As an Intelligence specialist, if I had ambitions to damage a company, cybercrime would undoubtedly be my weapon of choice because if successful, I would get the ‘best bang for my buck’. Would I bother, or go to the expense, of devising a technical attack? No, the Human option would be my first choice, exploiting Human vulnerability, naivety and avarice. I could ‘hunt’ in bars and social locations where target employees hang out. Companies who are making people redundant, have employee relations difficulties or poor morale would be a hugely fertile ‘hunting’ ground; my aim to recruit someone who has legitimate access to data systems – to get behind the wall. Unrealistic? Everyone has a price or gripe. I am sure that social media would enable me to conduct more clinical targeting to identify individuals who are likely to have system access of interest, where likely to find them and what approaches to take. Failing this, I could infiltrate Humans into a target company through normal recruitment processes to do my bidding. I know of an instance where such an operation led to a multi-million-pound loss. From this we can see that hugely expensive technical cyber security measures can be circumvented by inexpensive means.
If I was a little more technically minded and had a little more cash to spend, I could look at Crime as a Service options perhaps hiring technical attacks, from a Human, to gather system and user intelligence to plan future attacks. Then again, I could just go for the ‘jugular’ to deliver immediate dividends in exfiltrating data, preventing data access, defacement or system destruction. Maybe I might consider a combined attack, getting an insider and hiring a technical attack perhaps from Serious & Organised Crime Gangs.
On the other side of the coin and adding to the complexity of the ‘H Factor’, is Human fallibility through omission, lack of diligence or honest mistake. The key challenge is how to influence Human behaviour in regard to interacting with and using the network to minimise actions that make the network vulnerable.
In our next Blog in this series, we will consider approaches to managing Human threats and risks to the cyber environment.