Crossroads Blog | CYBER SECURITY LAW AND POLICY

Current Affairs, wikileaks

Humans Are The Weak Link In Cybersecurity: CRN

On Dec. 20th, 2011, Jeff Schmidt wrote for CRN on how the weakest link in the cybersecurity chain is humans.  Schmidt argued that for all the high-tech cybersecurity technology we pump out, low-tech social engineering and targeted phising has still allowed for high profile network infiltrations.  Schmidt goes on to cite a disturbing DHS study in which DHS dropped USB's and disks in the parking lots of government agencies and private contractors.  60% of the workers picked up those parking lot USB's and promptly connected them to their computers.  90% of workers used those parking lot USB's when they were imprinted with the company or agency logo.  Of course, the concern being that anything could have been on those USBs, and anyone could have placed them in the parking lot.  According to Schmidt, the first step is to acknowledge that humans are a weak link in the cybersecurity chain.  Check.  However, humans won't be leaving the cybersecurity chain anytime soon…

 

5095992133_1b332fedb5…At least until Skynet goes online.  That would solve our cybersecurity problems. 

Flickr Commons

Moreover, Schmidt finds it frustrating that there is a general awareness of the human weakness in cybersecurity, but no motivation to make the necessary changes.  This gets into a general theme of organizational compliance versus organizational security.  An organization that is compliant with general cybersecurity regulations may not necessarily be an organization that is secure.  To be secure, Schmidt suggests focusing on the people working within the agency or company, and offers solutions including behavorial research and procedural audits.

The source article can be found here.

***

For me, Schmidt's best advice is to simply know your people.  If criminals and foreign governments are spending considerable time conducting social engineering, then agencies and companies should spend considerable time to understand their employees.  I think the ongoing trial of Bradley Manning is a great example of this.  Although Manning wasn't the target of any social engineering, he apparently displayed some behavior that should have raised red flags.  Granted, hindsight is 20/20.  However, if the US Army had picked up on that behavior, Manning may have never had the chance to leak those files to Wikileaks.

***

Have an interesting article, or are just a Terminator sent from the future?  Tweet to @cyberlawblog

Leave a Reply