I’ll bet you just thought about some tech-savvy guys in a room, working away on computers. You might have thought about the networks that comprise your agency or the code that powers them (you know, Matrix-style). I bet you did not think about a random employee, with barely any technical skills, sitting at her desk. But you should.
That’s what Karen Randal Curran, insider threat analyst from the Federal Bureau of Investigation, explained at our Cyber Playbook event. While the technical aspects of cybersecurity are important, people are just as crucial.
Fighting with Both Hands
Curran likened using only technical skills in cybersecurity to fighting with one hand tied behind your back.
Think about a cyberattack. Somewhere, a person attempts to hack into your agency’s confidential information. If you deploy a technical fix, you can probably stop—maybe even reverse—the hack. So you’ve given the cyberattack a stiff right hook, temporarily knocking them to the ground. Way to go.
But you aren’t really solving the problem. The hacker is still out there with a willingness and know-how to attack your system again. He can get back up, and keep fighting.
In order to really get rid of the threat, you have to target the person as well as his actions. In fighting terms, you need to use both of your hands–the people tools and the technical tools–to push the a cyberthreat completely out of the ring.
The Three People Factors
To prevent attacks requires delving into the reasons and capabilities that allow cyberattacks to occur. These reside in people. Curran broke down the people factors to consider:
1. Cyber. This factor is most commonly associated with traditional cybersecurity. The technical capabilities of a person will direct the way they attack a network. This isn’t to say that a person with minimal IT skills is less of a threat, however. It only means that they are likely to pursue a less technical route to achieve their goal of breaching your security.
2. Psychosocial. Curran said cybersecurity teams most often overlook this dimension. Yet an analysis of the way a person thinsk and behaves can provide key indicators to how they might compromise security. Consider questions such as, “How does this person respond to or express stress?” and “What are his coping mechanisms?” to gage the threat potential of an individual.
3. Contextual. The situation of a person will heavily influence both their desire and ability to breach your agency’s security. For instance, an employee with access to confidential files will have significant capacity to expose your information. However, their situation of employment should mitigate their desire to do so.
Different people will attack your agency differently. “There is no one reason people decide to do something bad and, in the same way, there is no one way that they will do it,” said Curran. By considering each of the factors above, you may be able to predict the way an individual will attempt to compromise the security of your agency.
Of course, you can’t ignore technology. IT safeguards and counter measures remain a critical piece of the cybersecurity puzzle. However, technical solutions should be deployed in a way that is cognizant of the people initiating cyberattacks.
Insider Threats Highlight the Human Dimension
Curran’s message is neatly highlighted by recent events like the Edward Snowden leaks. In fact, she said that the one benefit from recent insider threats is the spotlight they have put back on the human dimension of cybersecurity.
Insider threats are a totally different beast from external hackers, principally because of the people involved. Insiders already have access to files, so typical cybersecurity measures like firewalls and perimeter scans won’t deter them. Insiders are also more likely to go unnoticed when they do comprise security because, by virtue of their employment, they have been entrusted with maintaining confidentiality. And because they already have exposure to your internal security measures, they are more likely to exploit your weaknesses to achieve a breach.
To effectively target and counter these threats requires understanding the cyber capabilities, mindset, and context of an insider. As Curran said, “Sometimes we trust the threat… and the tools you use against people you trust are very different from those you use against someone you don’t trust.”
In other words, you can use technology to combat cyberattacks. However, the technology and tactics you use should be fully informed by an understanding of the people behind those attacks.
For more recaps of GovLoop’s recent cybersecurity training, head here.