Cybersecurity: back to the basics, we are human after all (part 2)
Publié le 28/5/2021
Author : Lisa Ménière, Regional Sales Manager
In my previous article, I tried to demonstrate how the seven cardinal sins could inspire hackers to elaborate efficient attacks. Let’s continue with the four last sins and see what good practices you should develop.
Selfishness, possessiveness, hoarding.
If you think about personal financial greed, you are on the right path. Many hackers use this technique to manipulate employees “if you grant me this access, I will give you XXX€” or “if you don’t do this, I will publish online videos of you doing XXX”. But greed doesn’t stop there. When people are managing a project or a company, they confuse their professional interest with private ones. That is the reason why we see people spending a huge part of their budget on a “blue button on the bottom right because it looks great” and not on securing what is coming in and out of an application.
What should we do? As Einstein said “Concern for man and his fate must always form the chief interest of all technical endeavors.”, so, work agile which means that cybersecurity questions should be taken in account from your project day one until the end. Turn cyber-security topics into daily ones, make it the new normal to avoid having people taking it “lightly”. It is important for people to understand that cyber-security isn’t an option, when a hospital isn’t working for 3 days (Dax Hospital in France), the consequences of people not getting care or surgery are real.
Egoism, fame, individual success.
In order to feel important many people falsely claim credentials, professional achievement or success. Self-esteem often looks for its justification in numbers, which leads to people casually inflate figures, but if we look at it from a big company with 10 levels of management between an employee and its CEO, with each layer adding their ego-points to the estimated cyber-security coverage, we end up with two realities.
What should we do? Check the figures, run tests and phishing campaigns: cyber-security is not something to take on good faith or on “good numbers”. Challenge and find breaches before hackers do, because if they find it before you, your company image is going to suffer… you heard about SolarWinds, right? Are you jealous of their brand-new reputation?
Over-ambition, jealousy, desire.
You love the new trendy cyber-model that everyone is putting in place because Gartner said it was cool and you want to get the same. If we were shopping together, I would say “go get those shoes!” knowing that, they are fancy and someday (because if your closet looks like mine, you don’t really need those shoes) they will be useful, but cyber security isn’t about being fancy, it is all about making it work. Know your “internal customers”, define their needs and solutions, look at your company strategy (are you doing a lot of mergers & acquisitions? Do you use IoT technologies? Do you have nomad populations like directors checking sensitive data through their phones at the coffee machine?)
What should we do? Define a plan and stick to it. Yes, your remote working population increased by 90% in 24 hours and that’s dramatic but you still need to step back, think of what it means in terms of risks, and plan your steps: step 1, temporary solution; step 2, proof of concept; step 3 implementation of a long-term solution. You have a budget/productivity problem? Don’t worry it will become a way bigger problem when you get hacked (in France, between 2019 and 2020, the number of ransomware attacks increased by a factor of 4 according to the ANSSI number of incidents handled in 2019 and 2020).
Vindictiveness, vengeance, anger.
Unfortunately, there aren’t many ways to protect your company data against whistle-blowers, and I can only encourage you to promote trusting relationships with your employees, contractors and service providers while putting in place legal protections for your company. Trust will enhance feedbacks, improve tests and ensure a better adoption of all your policies and solutions.
What should you do? Transparent relationships are the key to a successful project. I often have customers who test a solution, and never send any feedback. Providers are supposed to be their solution experts, if you don’t trust them and don’t feel like contacting them, just don’t buy from them. Being cyber-secure is not about having a good contract. It’s about having a good contact and that way you will always know about the latest patch, update or release.
95% of cyber security breaches are caused by human error but 100% of cyber security breaches can be solved by humans. Loving your imperfections is all about caring about each other and accepting that no one is perfect and that no one will ever be.
You can teach people, because if we can learn how to do CPR (which is not easy to perform in a very stressful situation) we can teach people how to act and react in front of cyber-attacks, but we can also take into account our weaknesses in our cyber-security framework and product conception.
At TheGreenBow, humans and imperfections are at the core of our Client VPN strategy. We are fighting the 7 cardinal sins with functionality like transparent deployment, Always-On, and Trusted Network Detection to implement simple solutions that work on their own. We are fighting by improving connectivity using IPsec and our Common Criteria EA3+ Certification and NATO and EUCI Restricted information and by making our products compatible with MFA solutions, by monitoring end-point health and by delivering regular patching making us a robust security solution with proven experience in securing remote workers, end-points, IoT, hospitals, the military, government administrations, big companies, banks, and retailers.