Sunday, September 1, 2019

The Biggest Threat To Cyber Security


Recently, I’ve read a number of articles about how human error is the cause of most cyber security issues. The percentages vary but the numbers are usually well over 50%. 




Clearly the data is saying that the biggest threat is us. Not state actors or advanced threats.  Perhaps even the security team itself.

After all, there is an "i" and a "u" in cybersecurity. But, there is also a "y".


The "why" in why we allow the conditions in which human error can occur in security processes. The "why" in why we shrug and call it "human error". The "why" in why everyone is clearly too smart to ever do something stupid. The "why" in why we let human errors slide.



Accidents didn’t get the name because we somehow know when they’ll happen. 


We tend to think of human error primarily as action errors. Action errors are done by people that know the rules. They’ve been trained or told. 


Slips. Doing the wrong thing on the right object or, conversely, the right thing on the wrong object. 


Lapses. Unintentionally omitting something important. 


But, we often forget about thinking errors. Conditions in which someone doesn’t have the right information.  Or in good faith a rule is applied incorrectly. 


Such as trying a completely new task. Or, when someone does the task different from the normal person. Like a new hire or an intern. 

Thinking errors because securing a process hinged on a single point of failure.  The otherwise smart employee.


So, every cyber security incident needs some analysis and lessons learned identified. Given that human error has a high industry average of occurrence, perhaps it should be a part of your program measurements. 


Was the cause of a given incident a slip, lapse, or something new? What are the controls you have in place?


More importantly, are the human errors being reduced over time? 


Because the executives don’t care if your security architecture is comprehensive but incidents keep happening. 


And that’s on you. 


Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


SEE ALSO


The Cyber Maturity Audit Squeeze

The High Prioritization Simplification

Improving Cyber Security Program Predictability




Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)