The Human Factor: Why people are the main key to cybersecurity?

Okay, thank you very much for being here. My name is Patrick Hirsi and I'm presenting Sweat Bank. Here we are going to talk about why human is the most important factor in cyber security. I'm pretty sure in recent days you have heard a lot regarding AI and you know, tools and many things, generative AI that can help. But I would say human might be the most important thing in the interest of time. I might skip some of these slides. Yes, we are a bank. We have let's say 7 million private customers, half a million corporate customers and lots of these statistics. But let's get into it. This is me 20 years ago, 25 years ago. I was thinking, what if I had that amount of money and that simple, I could buy a simple, I would say super luxury car. And what if I could afford 22 super luxury cars?
That means I could afford one simple total average cost of a data breach. That's how much does it cost, the total cost because it is not just the damage itself, the recovery building your infra again and also fines and many things. It's just like that 22 super luxury cars. That's why IBM and I'm afraid to say only one third of these breaches, you will get to know it yourself. Two third of them, you will be get to know that by someone else, government or don't know service providers. They will let you know you have a breach and you haven't been aware of that. So what should we do? Should we go back to the boring security thing? Like let's go for asset management And they'll say, what kind of risks do we have? That's one way. Some might argue that no, we have breaches because we don't have enough sophisticated tool. Let's go buy them. That is true in many cases. But however, tool is not just a problem. You know, that is exciting. Of course, you know, let's get better tools, let's get more sophisticated firewalls, valves, you know, all of these AI enabled whatever. But is that really the case? I'm telling you? No, you know, let me ask you this question. These respectable names up there, what do they all have in common?
They all experience breaches and they were very rich, you know, and they were really compliant with P-C-I-D-S-S-I io 27,001, you know, GDPR, all of those compliance also doesn't bring any guarantee of security. So then what's wrong in here? What are we missing in here? And to me that is simple. All your cybersecurity measures are totally useless If you have an insider that's quite simple. I heard it in an interview or let's say of the interview of a ex CIA agent who was very skilled in hiring spies in other countries. He said, I don't care about your cybersecurity. I have someone inside that delivers me the information. Doesn't matter what type of firewall you using, how sophisticated it is, why is it like that? Because insider has already authorized access to your data. That makes it difficult. You know, you have firewalls, you have I-P-S-I-D-S, all of these to don't let people in, but they are already in.
And 74% of breaches, according to this data breach report of Verizon, they are using human. I would say it's a hundred percent. I can argue that it's a hundred percent. You know, machines don't hack each other just for fun. There is always a human behind everything. I can go on and on with these type of statistics. But let me show you one interesting thing. If this is your organization, your people, half of them are regularly doing insecure behavior online regularly on daily basis. That's what people do. And I'm afraid to say there are privileged users there as well. And that's enough. A privileged user who is doing insecure behavior, very good thing for hackers, love that. Then what type of insiders do we have? You know, some of them are definitely malicious. Those who are doing espionage or sabotage or exfiltration or or those and and some of them are just negligent people.
Inadvertent people, you know, just doing things by mistake or lack of skills and for your information, majority of them are these people that we have. Okay, let me just give you some use cases just to tell you. This is really the case. You know, in South Georgia Medical Center, an employee just the last day of work downloaded thousands of data, thousands of patients data into one simple USP unjust quit the same day. That simple, you know, or this got really famous in the other police department, they were migrating data from on-prem to cloud and this amount of data, 22 terabytes of data just deleted. They could recover two third of them, but seven terabytes just got lost unrecoverable. And what was the data? Unfortunately many footages pictures and evidence for court cases, they just got lost. Simply like that because of a mistake. It was no malicious thing 'cause of a mistake. This one, I really encourage you to go for it Xbox Underground if you search for it, it was really a thing, you know, and it was a combination of lots of different, different threat actors. But one small part of it was just an insider. You know, someone who had Microsoft badge and a family member could just simply get it, copy that, get into the building, steal one Xbox which isn't released yet, put it in the backpack and just get out
Possible, really possible.
And this one, you know, this slippery slope is really a case in many cases in many situations. Someone in UK it was an academy and one admin who got, I dunno, fired or just resigned or whatever. This guy was unsatisfied with what happened? I have no idea was he right or wrong, but the termination process didn't work well. So the guy simply checked the computer, oh, I already have access to this academy and I'm not happy with them. Shall I make a little bit of damage in here? Yes, it's possible if the termination process, you know, your IAM processor doesn't work well, joiners, leavers movers and you are not terminated, your access is still there and you're already admin while you are out. Yes, you can do a lot. So it started with some damages, wiping some servers and you know, it gets worse and worse and worse. First last thing he did, you know, you have already enrolled lots of devices, your phones to the company via Intune or mobile device management. He just wiped all phones at the very last step. So all phones enrolled just wiped and many people lost their photos, you know, documents, whatever phones just wiped, you know, simply like that.
Not just the hardware and the data. Lots of training material lost as well. So these are different types of insiders that might happen, okay? But are we just blaming people like, Hey, that's people's problem. We have good policies, just people, people are having problem. It's easy of course to do that, but you know, as you know, we are all human. After all. You heard the song, we just human, you know, anxiety, stress, ambitious, excitement. All of these are affecting the way we think and the way we behave and the way we make decisions. And you know, we can make crazy decisions if you are under such situation.
There are already a lot to improve in our workplaces, these American Psychological Association, they made a survey this year and it was like 77% of workers. They are reporting, they're experiencing emotional challenges at workplace. This diagram by Dotson, this is a famous one. It created a hundred years ago, almost more than a hundred years ago. And it's still valid. You know, it shows the matter of performance and arousal and that's, let's say psychological term of the brain is being alert, awake, and cautious. So the performance goes up if you are awake, but after a certain level, too much of you know, pressure will bring down your performance and it means for difficult tasks, your performance will be really low. In such situation you don't remember why you made such decision. So that's also a thing. That's why you know many people are victims of these scam calls.
When you get stressed, your behavior will be so different. Okay, but let me also tell you these, yeah, these statistics as well, according to this, APA American Psychological Association, if you look at only the first one, this is emotional exhaustion. What they experienced, what they saw in their surveys, and this is really a lot, okay, what does it have to do with security? We all know this, but okay, what's the relation to us? Let me just give you a little bit of Viking thing. This word, I'm not sure how many of you have heard the word log. It's let's say Swedish word. Viking word. It was called log it Own. When? When Vikings were together, just imagine they wanted to have some drink. They had these big horns and then some drink inside of it. They were telling each other, everyone drink enough so everyone can drink.
It was called dog at home, the rule of round, you know, so it take, it can round this drink. Now it means just balanced, just enough, not too much, not too little, just enough. This is very famous one in Nordic countries. So security needs to be just enough, just enough security is enough. If people are that stressed, that under pressure and we make things too complicated, people will just bypass security. I'm just telling you, you know, if people cannot work the way they like with your workloads, with your laptops, with your phones, they do it at home and they transfer it to your company. Many things happen. You know, when people don't have flexibility in the working environment, let it be complex but not over complicated. Sometimes it is complex but it doesn't have to be over complicated. That's what we saw and that's really easy to say. So. But you know, implementing that is difficult.
So again, security policies doesn't save you. You know, you can put as much of things you want in a security policy. When people cannot read that, when they don't understand it, what does it matter? Yes, generative AI might help us in here and people can ask questions, but anyhow, security policies, just putting something in the policy won't save you. As mentioned, legislations won't help you as well. That much you can be compliant but still really vulnerable to any breach. And why people do that really, you know, it's not necessarily something for malicious activity because of the speed, you can work easier at home than your workplace. Your home computer is far easier to work with. If you are searching on internet or you want download a picture or whatever than your workplace workload, that's simply it. And you can see that this was by Gartner that one third of people are just using unapproved USP devices.
Just like that. If you haven't closed it in your, if you haven't banned it in your organization, you have seen it, I'm pretty sure. And this one, you know, I've been working as security architect for years and I'm telling you a secret each time I'm saying we count on people awareness, it means I have no other control. I'm just begging people, please don't do anything stupid. And here, 72% of people who are bypassing security measures, they are already aware that it hikes risks, but they do it. Why? Because it is convenient. If you have a deadline, which one do you prefer? Do you prefer a deadline to be met or the security to be satisfied? I don't think people prioritize security in here.
So if you tell your manager, I've downloaded something on my home computer, worked on it the whole weekend and now I'm sending it to my workplace, will he or she tell you why? No, they'll be happy because you have done something. You know, productivity is something that really miss. And this my principle is something at the very end I'm going to tell you. It's just like why people do crazy stuff or what makes people being an insider. M stands for money simply. And it doesn't have to be huge amount of money. Sometimes very little amount of money could impact the way people do things. And I stands for ideology, simply ideology. There is an idea, there is a reason some people do something crazy.
See, for coercion, if you are or someone is under heavy pressure by a threat actor, they might do something you don't like. And I would say this is the most important thing here, ego. If you have people who are not satisfied with the situation, you know, if you have people that are downgraded, if you have, you know, discrimination, these type of, you know, human aspects of your workplace, if they are so serious and this eager race, you will see really strange things happening. So as I'm telling you, it is not just about buying tools, I know it is really exciting. Just go buy things. Just go, you know, a new firewall, a new workplace, a new thing. But you know, you know it's people spend the money they haven't earned to buy the things. They don't need to impress people who don't like. That's what happens in our daily life.
I'm also being so excited to buy things going by items. Be careful about maturity. If you are not mature enough, just buying tools won't help you. And you know, this is our slogan in Ed Bank. We say security is everyone's business. It's not just about a security team taking care of everything. This culture takes time. You know, maybe years that people start believing in it that it is everyone's business. So with that said, surprisingly I'm finishing five minutes earlier. You know, I was, I had planned that I'm not going to make it. There are too many slides, but thank you very much for listening and lemme question.