
Risky Business: How To Avoid Paying The Security Price For Not Understanding Your Users
By now it shouldn’t surprise us, but it still needs to be said: cybersecurity really isn’t about technology.
Inevitably, and quite correctly, vast arrays of technology are brought to bear on security modern businesses, their valuable data and systems, and their functions and financial viability. And of course, the systems that contain the vulnerabilities and weaknesses that attackers seek to exploit are technologies in and of themselves. So the ways many of these problems arise, and the ways in which they get solved, involve technology intimately and necessarily. But at the heart of every business, every system, and every security incident, there are people – and it is their capabilities, motivations, mindsets and split-second decisions that make all the difference.
A RANT roundtable held in London, and convened by the email-security-provider-turned-risk-reduction-specialist Mimecast, found a high-level group of CISOs, BISOs and senior cybersecurity practitioners sharing thoughts, ideas and experiences around human risk. It was noted at the outset by both Alastair Dickson, Mimecast’s enterprise sales director, and Jhetan Gaijar, the firm’s field CTO for the EMEA region, that even in the few weeks between the discussion topic being circulated to RANT community members and the event taking place, ideas had shifted: instead of businesses concentrating on risky users, more seemed to be focusing on the risks posed by non-human identities, particularly agents created by or with generative AI systems.
Yet even with that idea flagged up at the start, the attendees spent the vast majority of the roundtable talking about humans rather than agents. For many, the question about who their riskiest users are was fairly straightforward to answer – even if doing anything to limit that risk would be incredibly difficult, again for reasons that are usually very little to do with technology and largely based around personality, seniority and interpersonal politics.
The Dream Is Always The Same
“I know who my riskiest user is,” one CISO said without hesitation. “He’s very clever, very bright – speaks in binary. He turned off MS Defender because he didn’t think he needed it, and was running all kinds of software. He can never remember his password, so he’s got it written on a yellow sticky note on his workstation, and he’s texted it to his wife just in case. He’s an admin.”
“We have a similar situation,” another senior leader said. “Our cyber team are very clever and very technical, and they think the rules don’t apply to them. They’re that good, that they reckon they’d never fall for anything. But by the very nature of the work they do, they’re a much greater risk to the organisation.”
“When the average person clicks on something, it causes a headache,” a third embattled security leader agreed. “But in an organisation of thousands of people, if you’ve 10 super-admins with God-level privileges and one of them clicks on something, then you’re in a world of pain.”
Dealing with the threat posed by the expert user can be tricky. It’s certainly not a problem that can be solved by the business investing in a new tool or technology – though you may only find out that the threat exists by deploying some software that will surface the combination of high-level privilege and disdain for established enterprise-wide usage rules. Ultimately, the only way to successfully address this involves having a difficult conversation with the individual in question, and then keeping them under a watchful eye thereafter.
“That guy was given a written warning,” the CISO with the sticky-note-writing colleague recalled. “We weren’t officious, and he understood so there was no need to get nasty. His manager explained why he had to follow the rules too. But it’s very hard, across an organisation, where different IT admins are doing their own thing, to have a completely locked-down system. Privileges migrate over time; there’s shadow IT. People aren’t careless. But understanding every variable is not really viable.”
After The Fall
If a business has managed to rein in the “it won’t affect us” behaviour among its admins and cybersecurity teams, there’s another category of user who are likely giving headaches to the security leadership: the board and the senior executives. In their case, this is because their intimate knowledge of – and largely unfettered access to – all of the enterprise’s crown-jewels data is accompanied by a tight timetable and a high salary; and, often, these are connected to a significantly enlarged ego.
“The cyber teams often feel like they’re the experts, so they won’t get caught out,” one CISO moaned, “and the board and the execs don’t do the training because it takes up too much time. It’s like they think the rules don’t apply to them.”
This combination means, all too often, that board members or high-level executives are unwilling to lower themselves to do the drudge work vital to keep the business secure, and believe, like the admins, that they can pull rank when it comes to personal behaviours – because their value to the business shouldn’t be restrained by all that security red tape. Unhelpfully for the security teams, their identities are usually plastered all over the public website and the financial pages of the news media, so the risk of them being targeted by a phishing campaign is higher than the average lower-level drone.
“At a previous organisation I worked in, the CFO failed a phishing test,” one security leader recalled. “He’d turned off Defender because he found it was a pain. It’s often that very privileged user who thinks differently and bypasses the controls who becomes the biggest risk.”
Other attendees chimed in with examples from their businesses where senior corporate leaders had either been caught by a phishing simulation, or had clicked on a link in an actual phishing email. Encouragingly, some of them had chosen to “out” themselves within the business afterwards – using their mistake as a teachable moment, reminding the rest of the business that this can happen to anyone, and encouraging the entire workforce to be on their guard. But still…
In The Air Tonight
Of course, after an exchange of tales of woe, the talk turned to how – if at all – such problems could be contained, minimised, or even, possibly, eradicated. For all that a high-profile staffer issuing a company wide mea-culpa can help focus the wider workforce’s attention for a while, that doesn’t count as solving the problem: as one CISO noted wearily after their company had scored a perfect zero click-rate in a company-wide phishing exercise following an uncomfortable incident, the one they carried out a few weeks later saw rates back up around 20%.
This is where the discussion hit upon the theme that came to define it: dialogue. The challenge, several leaders all agreed, is not so much about getting those click rates down, it’s about understanding why people click in the first place. If you can do that, there’s a chance you can build an environment and a culture within your workplace where people won’t click, because they’re no longer put in a position where doing so is even slightly tempting.
“I’ll go and talk to people who’ve clicked, and I’ll ask, ‘Why are you doing that?’,” one leader said. “If it’s because they have to go from one account to another, then OK – I get that. It’s not my job to make their job more difficult…”
“It is!” another CISO interrupted, jocularly but pointedly. “Because the consequence for you when they do something stupid is months of hard work.”
“The reality is that pretty much everyone in the organisation will make a mistake at some time,” another security leader said. “Humans live incredibly complex lives, and get themselves into all kinds of muddles. Even in an ordinary life, people are subject to a lot of stresses, and can easily get caught out by a timely – or, for them, mis-timed – social-engineering attack that gets them when their defences are at their weakest.”
Tackling this problem can be conceptually challenging, and perhaps difficult for businesses to implement within a hierarchical and strictly role-based corporate structure (is it really security’s job? Is it HR? IT?). But in those companies where it has been tried, the effects can range from the healthy to the transformational.
“In our company’s history, nobody had ever talked to the user,” one CISO said. “We put out two queries every day to our users, and they have to answer them. We found that some users don’t even have the ability to do certain things on certain browsers, and the things we were asking them to do weren’t compatible with how they work.”
The Pump
And then there are the businesses where the instinctive behaviour is less about receiving than it is about transmitting: where, when employees are heard from, they’re hopefully reporting back with news of enhanced productivity and big wins – not being canvassed about new problems the enterprise has to allocate additional resources to fixing.
And it is here where the dread spectre of generative AI looms largest. Not only are these powerful tools in the hands of adversaries who are using them to help craft ever-more convincing phishing emails or to carry out more successful social-engineering attacks, but business leaders are obsessed with them to the point of pushing their adoption via some not-entirely-helpful new corporate initiatives.
One senior security leader described a situation that has come about in their company, where staff are given a target of a minimum number of tasks they should carry out per day that involve use of an AI tool. They made the point that, whatever the benefits the company will see from greater use of genAI, such a policy adds risk.
“Everyone’s trying to do things just to put ticks in boxes,” they said. “If I get an email that says, ‘Your scheduled Copilot task has just run’, and I click on it, then great! That’s just upped my score. But it was a phishing email – oh, you just got phished.”
“There are psychological characteristics that mean people are being rational and wanting to be productive, and those are the things attackers exploit,” Mimecast’s Gaijar noted. “One thing we’re not indexing properly is that AI is accelerating that. Not from a technology perspective – now I’m worrying about whether I’m being more productive than my colleague. I have to be at least as productive, if not more so, in order to keep up. So all those cycles are speeding up.”
Gaijar went on to outline one way in which some of these competing imperatives could be balanced, though it would not be without significant challenges for businesses based in all but a handful of the world’s nations.
“The problem is, email was intrinsically designed as an open standard,” he said. “There are a variety of technologies that can give you a high degree of confidence [that an email is legitimate] but that doesn’t help if the sender’s account has been taken over. One area we’re looking at is called intent-based analysis: we’ll try to look at what the intent is that lies behind an email. But implementing that doesn’t raise a technical problem: it’s a privacy problem – because, in order to do that, I have to read your email.”
In the mean time, attendees seemed to agree, one of the best things that security teams can do is to open, and maintain, ongoing and blame-free dialogue with the users. Understanding why they do what they do will help to minimise the number of times where they engage in risky behaviours. And if the users feel that the security teams are actively trying to help, and are encouraged to understand why different security measures are necessary, there is less likelihood they will adopt covert workarounds.