It’s the humans, stupid, or, is it the stupid humans?


I’ll admit that I don’t know a lot. In fact, I’m a bit of an outcast in the world of cybersecurity because I tend to think that most problems we face can be corrected, not by more scanners, segmentation, and sandboxes, but by spending time with the folks up in accounting on the third floor and working with them on secure practices that can keep your information systems safer. “Are you crazy?! Seriously dude, you need to go back to the 1980s!” I can hear you from all the way here in the USA, and I’m sleeping. Don’t worry, this is the flack I get from everyone I say this to, except for a few trusted colleagues who happen to like me because I agree with them. But let’s face it. The numbers don’t lie. Every…and I mean EVERY…security report I’ve read over the past five years, including Symantec’s and Verizon’s annual security reports, reveals that the clear majority of data breaches involve social engineering as the primary means of executing the attack. I know…I know. This is a hard pill for techies to swallow, but it’s a pill that needs to be shot down the back of information security’s throat right now.

Let’s look at some numbers. In 2016, Verizon reports that it studied 42,068 security incidents that resulted in 1,935 breaches. 43% of the breaches were due to social engineering attacks! 66% of malware came through malicious email attachments. And I know we love to talk about the Deep State and all their high-tech hacking tools like we find on WikiLeaks dumps, but it’s official – phishing and other social engineering techniques are the number one choice they use to compromise systems.

Seriously, this is a big problem! The problem isn’t just the fact that social engineers are excellent hackers, it starts with every IT employee and Information Security Officer in the world. Until we come to grips that technology isn’t the solution that will stop the most bleeding, we’re going to continue to see high-profile breaches. I’m begging all of you to come to the table and accept the fact that people skills might be a requirement to secure your networks.

I know what you want to hear. You want me to tell you that there is an AI solution coming down the pike that’ll analyze and quarantine every phishing attack. You’re dying for facial recognition and physical security implementations that’ll identify every con artist who walks into your building. You’re hoping for voice recognition that’ll pinpoint any shift in a shifty voice. Hey, I’m not saying that it’s not possible, and I’m not saying that there’s not stuff out there that’s attempting to do that, however, it’s not going to stop everything from getting through, and it’s more than likely going to hurt your workflow, because legitimate emails and people will get filtered as well, and that’s a win-win for hackers too. The psychology of defense plays to the attackers’ strengths…Click HERE to read full article.


Leave A Reply

12 + one =