Alexei Balaganski, Lead Analyst and Chief Technology Officer at KuppingerCole will discuss the Human Factor in Cybersecurity on Wednesday, November 10 from 11:00 am to 13:00 pm in the first track at Cybersecurity Leadership Summit 2021.
To give you a sneak preview of what to expect, we asked Alexei some questions about the track.
What exactly is the human factor in cybersecurity after all?
Well, here we are starting with the right questions. Yeah, cybersecurity, in general, is a field where everything depends on the right definition because more often than not, we hear people talking about things which they call a certain title or name or definition or buzzword. But they talk about totally different things, right? Whether it's cloud or Zero Trust or even blockchain. It may mean different things. And the same applies to the "human factor". I would say, first of all, it's more than one thing with regard to cybersecurity. Perhaps I would try to identify at least three.
The most obvious one is, to err is human, everyone makes mistakes, and especially it applies to users of information technology. So it's the normal business people, not the experts. They are doing their job, they're trying to do it as securely as possible, of course, but they just have no idea how to do it properly, how to deal with all the technology. So they make mistakes. And sometimes this can lead to a massive data breach or a compliance violation. Not very often, but it can. Of course, there is a lot of bad actors out there who try to exploit this. We have a multitude of different attack vectors. The most obvious ones are social engineering, where you just get an email, which looks normal, it might even come from your CEO and you click a link and you get a malware download and you have a ransomware attack. Or it might lead to a discussion with a person that pretends to be CEO and you end up wiring all your corporate money to a hacker's account. There is a lot of possibilities to exploit. And everything depends on this human factor.
However, this is not the only thing we have to worry about. One other major problem is the so-called skills gap in cybersecurity. Here we are talking about experts, actual security analysts, technicians, or people who are supposed to protect those, quote-unquote, innocent businesspeople. But you just don't have enough of them. And even those who are employed, are always overworked. They have too many things to deal with, but too little time. So, yes, that's skills gap. It's been, it's existed for a decade at least, and it's only growing. And there is no simple solution on how to address it.
And finally, last but not least, there are people in the company who make executive decisions. These are usually not the technical people. But again, might be your CEO or some other person who decides, OK, we should spend some money and deploy a new security solution. Or perhaps we shouldn't. Or we want to switch to a totally different business platform. Maybe it's Salesforce, maybe something else. But every new business platform comes with a set of new security risks. And if those executive people make those decisions without consulting with proper security specialists like us, for example, at KuppingerCole, this might lead to massive security and compliance problems afterward as well.
So I would say these are three major human factor problems we have to deal with.
In thinking about the human factor in cybersecurity as you described it right now, we also have to talk about the insider threat. What strategies and probably technologies can help organizations reducing the risk from such threats?
Again, when we talk about the insider threat, we have to think about multiple different kinds of it. The most obvious one is yes, the most common one is just negligence. People make mistakes. They click the wrong button, they delete a database. Or they click a wrong link and they end up firing off a ransomware attack. Theoretically, any employee can do that. They don't have to be an expert. They don't have to have special access rights, anything can happen. How do you deal with those? Well, it's everything you do, everything you plan and deploy and operate with regards to cybersecurity that has to somehow address all those challenges.
The other kind of insider threat is those disgruntled and privileged employees. Maybe they just want more money. Maybe they want to work for a different company and got to steal your trade secrets. Maybe they are colluding with a hacker and they might be even being blackmailed and forced to deploy malware just to let those hackers start their attack on your company. Again, this is very difficult to deal with because more often than not, you just cannot identify what is the difference between, quote-unquote, normal people acting normally. And again, those, the same people acting maliciously. Perhaps one of the most common ways to at least detect those attacks would be something behavior-based. But you have to observe how your workers act normally, how they work, how they do their daily jobs, and then identify when something uncommon happens, an anomaly. Unfortunately, most of the tools you can get for this purpose are pretty basic in terms of yes, they can identify that something unnatural is happening, but they will struggle to explain why exactly it is unnatural. What exactly is this anomaly about and why you should kind of put all other things aside and investigate it. Solutions that can explain it, I would say they belong to the quote-unquote, next-generation security analytic solutions.
If I understand you correctly, nowadays, when we no longer recognize the classical divide between inside and outside, we should not distinguish so much the threats from inside from those from outside, is that right?
Absolutely, not just should not, you cannot anymore, because well, first of all, for many companies, there is no inside anymore. And we are now still working from home for such a long time and will probably continue doing so. So if I am talking to you now from my own home, am I inside the company or not? And of course, a firewall would never detect me doing something malicious because there is no firewall at my home. And even if there was one, it's not connected to our corporate security. So absolutely, there is no more any difference between inside and outside. You have to treat every action, every activity, every potential threat, regardless of where it's coming from.
Is this where Zero Trust as a concept or strategy comes into play?
Exactly, Zero Trust, I would say, is a theoretical concept which attempts to address all of those challenges at once. Basically, Zero Trust is the philosophy, it's the idea of how you should completely redesign your corporate network and your corporate security architecture to make sure that you can deal with any of those, quote-unquote, insider threats, whether they happen inside the company or somewhere outside. For example, at home.
So yes, Zero Trust is exactly the solution, but unfortunately, Zero Trust is not a magic pill, not a panacea. It's not something that you can just buy, deploy and forget about. Zero Trust is a new way to operate your business if you will. And the tools are secondary.
Looking into the future: How do you think the threats will develop in the next three to five years? Will it become more serious or will the "good side" be able to develop faster than the "bad side"?
Well, I mean, here, in the field of security, we are always on the wrong side, if you will. We will never prevail because a hacker only needs one vulnerability to break your entire system, and you have to deal with all of them at the same time. If you only missed that one, oh, you lost already. So, unfortunately, I would not be optimistic. Cyber attacks will definitely grow in scope and number and power if you will. It's becoming even cheaper than ever now to stage a cyberattack. You can even get one as a service. You only need your credit card and maybe your blockchain or Bitcoin wallet to start with one. So in that regard, no, there is no light at the end of the tunnel, if you will. But there is some hope in the new technologies and in the new approaches to design in your corporate networks.
You've already mentioned Zero Trust. If there is a company that starts with Zero Trust, it doesn't have any legacy network at all. I would say it will be automatically protected from perhaps 95 percent of all the common cyberattacks. So it will never be completely secure, but it will make the job of their IT teams and security teams much, much easier. If you add strong authentication, for example, into the mix, just that alone is a major booster of cybersecurity. And of course, things like security automation. So if you have this combination of modern innovative security technologies, you will be much safer than before. You will not be safe, but at least you will be protected from a lot of drive-by attacks if you will, which are not specifically targeted at you but you will never be the collateral damage in such an attack.
Do I understand you correctly? Do you think that something like Autonomous Security, which makes security smarter, for example through machine learning, will help companies rule out the human factor in some future time?
Well, it's a difficult question because, again, we are talking about a thing which many people tend to misunderstand completely. Autonomous security does not equal automated security. Autonomous does not necessarily mean that it's operated by a robot or artificial intelligence. Yes, we know that AI is a huge buzzword nowadays. And we've observed a lot of interesting developments. But we know that even now in cybersecurity, nobody trusts AI to make security decisions. Simply because there is a lot at stake and a wrong decision can ruin your business completely, especially if it's something like manufacturing or high-speed financial trading. So people tend to mistrust AI.
And when we're talking about properly autonomous security, it's probably still managed by a team of security experts. But the team doesn't have to work for you. It might be just the managed service, a multi-tenant managed service even, so someone who's operating your security for you as a service from a remote location. But they are still kind of much closer to your infrastructure and your pain points and bottlenecks to quickly identify any attack. But again, there will still be a human, in the end, making a decision. But your goal is to make sure that that human is the best one, the smartest one, and the one supported by the best tools. So a robot will never replace a human in that regard. But they will help.
Do you think "never" is a word to be used in that context?
Well, I dread the times where robots will make all the decisions for us. I think they will be more like Skynet than benevolent...