The White House Was Hacked – Could It Happen Again?
On Tuesday it was reported that foreign spies likely breached sensitive computer systems in the White House and State Department. The attack is believed to have begun with a targeted phishing email; foreign agents tricked at least one American worker into taking unsafe actions that opened the door for hackers who ultimately expanded their attack into a major breach.
Official reactions to the attack play like a broken record with the usual generalities about the importance of cybersecurity and the need for improvements in cybersecurity at a national level; we have all heard these proclamations in the past and will hear them again after the next breach. And there most certainly will be a next breach, as the core problems that lead to the present breach – and to many others like it – are not being addressed.
Just last week, the information technology association, CompTIA, released a report called “Trends in Information Security.” One of the key findings documented was that while human error is definitely the overriding enabler of many security breaches, businesses do not consider human mistakes to be a major concern.
This scary paradox is something about which many experts have been raising alarms for some time, but which has fallen on deaf ears; approximately half of American businesses still do not have any formal cybersecurity education programs for their employees. But, the issue is not just a matter of education; plenty of firms with education programs in place have suffered serious breaches. That is true vis-à-vis the government as well.
So, what is the problem?
Criminals and spies know that cybersecurity technology improves at a rapid pace, but that it takes millennia for the human mind to evolve, making people an increasingly weaker link in the information security chain. Hackers, therefore, work on designing new techniques for tricking people on a regular basis.
That’s why cybersecurity programs and technologies must incorporate formal expertise on human behavior if they are to be successful. Educating employees and customers for the umpteenth time about the dangers associated with clicking links and deploying the umpteenth generation of email filtering software is simply not going to sufficiently protect people.
Yet, despite the obvious flaws in addressing breaches by simply piling on increasingly complex technology and “security training” as a “solution” – that’s exactly what frequently happens. Consider how many public officials have made statements about improving cybersecurity, spending more on security technologies, or the need for the government to work more effectively with cybersecurity firms to improve security, versus how many have called for better interaction between psychologists and technology teams, or for the involvement of human-factors experts in the design of security programs?
From the first article I wrote for Forbes in 2012 entitled Your Biology May be Impacting Your Digital Security, through more recent ones such as Why You Should Ignore Everything You Have Been Told About Choosing Passwords, and Why You Are At Risk Of Phishing Attacks, I have stressed the fact that human weaknesses are increasingly becoming the Achilles Heal of information security. I invested in research into these areas when designing information-security products, and my partner in creating these offerings, Shira Rubinoff, now recognized in the information-security industry for contributions related to the human aspects of information security, was formally trained as a psychologist before entering the space. If we are going to successfully curb attacks that exploit human weaknesses, we will need the wisdom and contributions of many more experts on human behavior.
As Richard Blech, CEO of Secure Channels, summed it up: “The job of technology is to design systems to protect us from human error.” For that to happen, of course, people who understand people and the errors that they make must be involved.
In future articles I will discuss other reasons that large investments in security technology are not adequately paying off. But, one thing is clear – human factors is a primary reason, if not the primary reason.
So, if you are seeking to secure your business, keep this in mind: Human factors have to be a primary consideration, and addressing them can often be the difference between being breached and remaining secure. I hope the folks in the White House are listening.
Find the orginal article here.
For more articles featuring CEO Richard Blech, visit securechannels.com