Stay Informed with the Gone Phishing Podcast | Phin

Humans Desire for Convenience Over Cyber Security | EP 025

Written by phin | Jan 17, 2024 7:08:52 PM

 

Transcript:

Connor Swalm:

Welcome to gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone phishing.

Hey, everyone. Welcome back. It is Connor, CEO at Phin and host of the Gone Phishing podcast.

And let's face it, we've all heard. It before, especially with things like two factor authentication that, hey, this is inconvenient. It takes longer for me to log in. I don't care if people have my information. I have nothing to hide, and I'm. Not going to lose my account. I make my passwords incredibly strong, so I don't need to go through all this rigmarole and crap in order to. Secure, quote unquote secure my accounts. This is a tale that I have. Heard since beginning a career in the cybersecurity space, and I have a feeling it's a tale I'm going to keep hearing in the cybersecurity space so long as humans are involved in it, which. That'S going to be forever. So I think I'm going to keep hearing it forever. So today you didn't get the hint from all that.

We're going to talk about this mindset of security getting in the way of convenience. Now, a lot of people are correct. Security, doing proper security is inconvenient in some ways. But being convenient is not just the only thing everyone should be worried about. So a thing that I like to. Tell all the security practitioners that I. Talk to and even myself, is if. We make the right thing, the easy button, that is, if we make security. More convenient, we're just going to get. More of the behavior we would like to see. So there's this consistent battle of if.

We make things too easy, too convenient, it's no longer secure. But if we make them too secure. Like if we go beyond two factor. Authentication and have, I don't know, nine. Factor authentication, I don't know if that existing in the real world, but let's. Just think about it for a second.

Of course that's not going to get implemented, right? What are people going to have eight. Cell phones to text, get eight separate texts, and then they're going to put. Their thumbprint on their computer and end. Up logging into an account?

No, that is absolute garbage. That's way too inconvenient. So clearly there should be some kind. Of give and take here. So first, let's talk about some of the misconceptions. There's a statement a lot of people make. I have nothing to hide or said another way. I have nothing of value that anyone. Would like to steal, or I have. Nothing that is worth anything along those lines. If you've had an owner of a. Small business, or a manager and a larger business, or, hey, we're not the. Most valuable people here, we're not finance, so nobody's going to be trying to steal stuff from us. That is, in my mind, a mindset.

That detracts from actual security. Because the reality is today that it's not that everyone's a target, it's just that security. It's just that we live in such. An interconnected world where technology is so. Integrated into the way that every employee, regardless of their technical prowess, exists and functions today. It's so integrated that everyone is capable. Of being a target. It's not that they're targeted, it's just. That everyone is capable of being targeted. So a statement that I've started to. Repeat after hearing it from a lot. Of these industry professionals like Wes Spencer and others, is a breach is not an if. It is a when mentality. That currently, today, there's this concept called.

The defender's dilemma, where a hacker has to be right exactly once and a defender has to be right all the time, forever. That's just a if we're looking at the numbers there, and how many times. A defender is going to have to. Be right, I. E. Us security folk. Versus how many times a malicious actor. Needs to be right, it's just an. Impossible game that we're always going to. Lose at some point, statistically, as a result of the infinite game of sorts, it's just going to go on forever. So as we're transitioning into teaching people. About this mindset as practitioners that comes with going up against this, I've got nothing to hide. I'm definitely not a target mentality. So that's kind of like the first. Mental blocker I see to getting past the things need to be convenient more. Than they need to be secure. Now, a lot of security is designed.

Without convenience in mind, and frankly, I. Think that in itself is not correct. A statement that I make to all. Of my team members and that I make to everyone that I meet is. You get the exact behavior that you. Incentivize, and people are incentivized to do. Things that are more convenient, right. If it's less of an obstacle for them to turn off two factor authentication and not have to deal with it. Whereas if two factor authentication was integrated. In such a seamless way that it was no additional inconvenience, you're going to get that. You're going to get way more of that behavior.

And so I think one thing that's. Missing from a lot of security tools and vendors and practitioners in the space. Who are building not only the security. Frameworks, but building policies and then building. The tools that will end up being used to fulfill the points and the. Controls in certain policies. I think one thing they need to. Keep in mind is, have we made this as convenient as possible for the end users? I always go back to a story. I studied math in college.

I love it. I still talk about math. I still think about math to this day. But when I would talk to anyone that wasn't a practitioner that didn't care. About it in the same way that. I do, the conversation was over. It didn't fundamentally connect with anything that they cared about. And that's okay. I was super excited about it. Nobody else was. And I see the same thing happening in security, and as a result, I. See the same thing happening in the. Way that a lot of security tools are implemented or designed, and then as a result, created. There is not enough of a focus for security tools on convenience of the end user. And I always make this statement, too. People just want to show up to. Their job, do good work, and be. Safe while doing it.

Anything that gets in the way of that is inconvenient. Anything that gets in the way of that is going to lead to behaviors. You do not want to encourage, such. As turning off two FA, such as sharing passwords, such as not using a password manager and just using the same. One over and over again that they've. Been generating since they were nine years. Old, because they can remember it and. They just change one letter at the. End of the password. You're going to get a lot more of those behaviors if you don't first.

Think, how can we make this convenient. For the people who need to have their behaviors changed? So how can we get the average employee who needs to be secure but. Isn'T necessarily secure a security practitioner? How can we get them more interested in these things? I think first, like I had already. Said, it starts a mindset on the vendor side, on the tool side of. How can we make this more convenient? But then I'll go to the more human side is a lot of employees.

A lot of people who show up to their job will march to the. Orders and march to the beat of whatever drum their management, their leadership, or their organization is beating at the time. And the quickest way to erode somebody's. Belief that they need to act a certain way, the quickest way to erode. Good behaviors is to no longer encourage them. And so this is a roundabout way of saying what I see missing in. A lot of organizations is an increased importance on actual security. I see that changing, though. So it's not all bad news, right?

I see a lot of companies at this point making a real serious effort to actually creating real security policies and a real security program that fits their. Organization and helps them be more secure. So it's not all bad news, but. The quickest way to not only erode, but also the quickest way to encourage. Good behavior is to have the leadership encourage it. So if you encourage bad behavior, you're going to get that. If you encourage great behavior, you're going to get that. And one thing we say before we. Start working with any organization is here's. The set of communications that you need to send out to stakeholders at the. Client, and then here's a set of. Communications that those stakeholders need to send to their employees.

Both of those are very important. We're not only soliciting the buy in from the stakeholders on, hey, this is why we're doing these things, because we. Are introducing a little bit of inconvenience. In doing training and understanding what's going on and looking at social engineering and. Knowing if a communication is a valid communication or not. If it's somebody pretending to be another employee at the organization, we're introducing inconvenience. And as a result, what we need is more buy in on, hey, this tiny bit of inconvenience is actually going to create such great security and incentivize such great behaviors that we really need.

You to buy in, and we need. You to tell everyone else that works for you that they need to buy in as well. And when we see our partners do. That properly, we see an incredible uptick. In the amount of people that end. Up doing their training on time and. The amount of people that end up exhibiting proper behaviors. So having everyone from the top of. The organization to the bottom of the. Organization buy into, hey, we need to start encouraging behaviors, even if it's a little more inconvenient. Incredibly important. So all that being said, why is it important for anyone to understand this? Why is it important for anyone to help take intentional steps towards getting people who aren't really interested in cybersecurity to actually buy into cybersecurity in the first place. Well, I'll start this with kind of like analogy.

So long as an organization somewhere in. The world can spend a single dollar and steal ten versus spend a single dollar and make two via some ethical, moral, whatever you want to say, like creating a goods and service method, so. Long as they're going to make ten by stealing and two by having a. Business, they're going to keep stealing. It's that simple. It is just a number. It is just a. If we spend x dollars, we'll get way more if we do this. So a lot of these organizations are incentivized to continue stealing from businesses because of how profitable it is for them to do so. So getting everyone, not just the practitioners.

Not just the security industry, to buy into cybersecurity as not only a concept. But also as a school of thought. And as a set of activities and. Behaviors, everyone has their place in security. Because everyone has a place in an organization. Getting everyone to buy in is the first step towards flipping that script. Because if we make it harder as. An industry to actually steal capital and to steal resources, then there will be less organizations set up to actually steal. So that's the first thing. The second thing is that with the. Cost, insurance is a great way of transferring risk to an insurance company. You can remove risk by getting rid of risk.

But then the third way that you. Can handle risk is you can actually. Just retain the risk. So by hiring humans who are capable of making mistakes, who are capable of doing things incorrectly, who are also capable of doing incredible, creative, incredibly creative things that you probably couldn't have dreamed of. When you first hired them, or to. Do the work that you've prescribed them. You are retaining some amount of risk that, yes, that person. Insider. There's a reason insider threats are a thing. It's because people do weird things sometimes. And so if you can actually encourage.

Those people at which you've retained some of that risk if you can convince them to change their behavior. This is the whole concept of human vulnerability management here. If you can convince them to change their behavior, then you've shrank the amount. Of retained risk that you have as an organization because now you've removed some, right? If somebody who was a stickler on. I don't care, I'm not going to. Enable two factor authentication. This is a pedantic example, but it. Drives the point home here.

Then when you're actually able to change their mindset and you know what? I see the value. I see how it's not too much of an inconvenience. I'm actually going to enable this for. All my accounts, and I'm going to implement this properly. And then they do that. You have just removed a lot of retained risk that you had because that employee demonstrated certain behaviors that, you know, are capable of inducing and creating risk. And so it is incredibly important for msps, for cybersecurity practitioners to drive this point home to business owners, to stakeholders.

To the people at the organizations, to. The least technical individual at a company. So everyone has their place, because everyone has a certain set of behaviors that. Create weird, unique risks to an organization. And just the act of hiring them. And work, hiring those people and working with them. An organization has retained a certain amount. Of that risk, and it is our job to mitigate that as much as possible. Because then I'll tie this back to the very beginning. When we shrink that retained risk, we're. Essentially shrinking the return on investment a malicious actor is going to get if. They spend a dollar trying to steal.

Money, and if we can do that well enough, then we'll just get more businesses who are actually stood up to provide goods and services in a mutually beneficial way, and we'll get less businesses. That are stood up to steal money. Because now it is less profitable to do so. It's just a numbers game. At some level, people are here to make money, whether that's by stealing and. Doing it via what we would consider.

Immoral ways, or whether that's by providing a good service through like, a medium of exchange. So that is why those are some of the common misconceptions that I see. Those are some of the flaws and some of the logic I see. And also, it's not just the people who know nothing about cybersecurity and just. Want to show up. I also see a lot of not backwards but counterproductive is how I'll phrase that. Counterproductive thoughts from security practitioners and msps. And security folk is at the end. Of the day, we're all on the defender side together. We all have to be right all the time. And so we should be trying to help lift each other up as much as possible, helping people understand where they can get better, and also encouraging all that good behavior at all times.

So if you have any thoughts, please. Reach out to me. This is a concept that I am incredibly invested in once again. I am Connor, CEO at Phin and the host of the Gone Fishing podcast, and I will see you next time.

Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out Phin Security at phinsec.io. That's P-H-I-N-S-E-C IO. Or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.