Happy Thanksgiving! The holiday may equate to a short work week in the US but there is certainly no shortage of news breaking about cybersecurity, privacy and the insider threat.
The biggest cybersecurity news out last week had to be passage of the Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act, H.R. 3359). Passage enabled the creation of the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS). CISA replaces the DHS’ National Protection and Programs Directorate (NPPD). Numerous news stories have published since #45 signed the law, all covering how the new agency will work with critical infrastructure owners and operators to strengthen defense and resiliency. Several stories that can bring any reader up to speed quickly are:
- Cybersecurity Is Getting Its Own Agency, via Kacy Zurkus at Info Security Magazine
- Launch of DHS cyber agency ‘more of a groundbreaking than a ribbon-cutting’, via Jory Heckman at Federal News Network
- Congress Passes Legislation Standing Up Cybersecurity Agency in DHS, via the DHS
You can read the full legislation at: Cybersecurity and Infrastructure Security Agency Act of 2018
Can Culture Overcome the Negligent Insider Threat?
Whether or not baking security into work culture can help to solve human-driven security challenges is the subject of ongoing debate. We do know that public and private sector organizations are investing in programs designed to integrate security into their cultures. We also know that even the most security-conscience among these can be breached.
Last week, in Dark Reading, Digital Strategist and CIO Advisor Mark Wilcszek dove into the topic. In 95% of Organizations Have Cultural Issues Around Cybersecurity, Mark wrote:
According to Information Systems Audit and Control Association’s (ISACA) Cybersecurity Culture Report, 95% of organizations admit that their current cybersecurity environments are far from the ones they’d like to have. In a poll of some 4,800 business and technology professionals, a mere 5% of them say their organizations’ cybersecurity culture is sufficient to safeguard the company against threats from both inside and outside.
Why do most organizations report that efforts to integrate security into culture aren’t producing desired results? CSO columnist Roger Grimes may have part of the answer.
Last week, in How to reach that person who will click on anything, Roger reported on research being conducted by Dr. Matthew Canham at the University of Central Florida, which revealed one of the reasons why some people are easily preyed upon. According to Roger, research indicates that people can fall victim to attacks because they simply are not “criminally minded.” He wrote:
Like with any complex issue, no single trait makes a person more or less susceptible, but Dr. Canham said some early (research) observations appears to indicate that a common factor seems to be that the less criminally minded a person is the more likely they are to fall victim to all social crimes, including phishing.
Could the absence of criminal minds within employee populations be contributing to the slow pace at which security cultures mature? Could the inability to think like a criminal be driving up negligent insider threat risk? “Yes” certainly seems like a logical answer to both questions. Regardless of what the final research ends up revealing, there is little doubt among cybersecurity professionals that humans will always drive a significant amount of risk. The real question is, how can such risk be reduced?
Fortunately, at the intersection of negligent insiders, cybercriminals and the internet is a class of technologies that allow people to operate in an efficient and productive capacity while providing them with the protection needed to intercept criminal activities before they turn into cyber disasters. Dtex is among the providers if this new generation of innovations. To learn more about how the Dtex Advanced Enterprise DMAP Intelligence Platform is helping to protect trusted insiders against attacks, check out our latest customer video featuring Graeme Hackland, CIO of Williams F1 Racing.
An End to the Surveillance State
Dtex has been at the forefront of insider threat detection and privacy protection from the outset. We believe there are both performance and philosophical reasons why user behavior and activity monitoring has to be performed with dedication to privacy protection. In a recent press release we issued about a Harris Poll privacy survey we commissioned, our former CEO Christy Wyatt stated:
“The world has lost its tolerance for deceptive data practices, aggressive surveillance and privacy invasions. It’s also become more lawless; Edward Snowden, Waymo vs. Uber and the insider who sabotaged Tesla are all stark reminders of this reality.”
Wyatt has gone on to discuss the many reasons why privacy has to move to the front of the security conversation. Citing regulations, consumer demands, and employee retention among the many. Last week, noted author, cryptographer and privacy advocate Bruce Schneier added to the list of reasons why aggressive surveillance needs to be reined in. In Wired, Bruce wrote:
We know that surveillance has a chilling effect on freedom. People change their behavior when they live their lives under surveillance. They are less likely to speak freely and act individually. They self-censor. They become conformist. This is obviously true for government surveillance, but is true for corporate surveillance as well. We simply aren’t as willing to be our individual selves when others are watching.
He concluded with:
Privacy encourages social progress by giving the few room to experiment free from the watchful eye of the many. Even if you are not personally chilled by ubiquitous surveillance, the society you live in is, and the personal costs are unequivocal.
You can read Bruce’s full piece here: SURVEILLANCE KILLS FREEDOM BY KILLING EXPERIMENTATION