October 1 marked the start of National Cybersecurity Awareness Month. While the designation is a clever way to highlight the need for greater vigilance in how we use technology, it’s nonetheless ill-advised. Cybersecurity shouldn’t be treated as a flavor of the month. We need to focus on it every day, for a simple reason: humans pose the biggest cybersecurity threat of all.
Today’s cyberthreat environment is menacing, and it’s clear that we always need to be in a state of “high alert.” Hackers show no signs of retreat — and are becoming more aggressive and sophisticated. Earlier this year, hackers circulated a tranche of unique usernames and passwords numbering in the billions.
It’s tempting to believe that by developing more robust technology, we’ll be able to put the cyber thieves out of business. If only that were true. While security technology is much better than it was even just a few years ago, it nonetheless contains one major liability: it’s often only as good as the humans who use it.
Consider the disclosure in late July of a breach at Capital One, which affected about 100 million individuals in the United States. According to a Justice Department filing, a Seattle hacker, breached Capital One through a misconfigured firewall caused by human error. The hacker was able to exploit that misconfiguration.
In August, Facebook reported that it left a database containing 419 million records unprotected, without a password. As we examine the major breaches over the last several years — Target, Home Depot, Sony, Equifax — their initial point of vulnerability was access stemming from weak authentication; in other words, passwords that could be hacked.
These events, and others like them, are a reminder that while we can reduce and manage the number of cyber incidents, it’s unlikely we’re ever going to eliminate them. Hackers ultimately prey on the greatest vulnerability: human behavior.
That’s the backdrop to what the head of information security at a global infrastructure company recently told me. He said his top priority is not acquiring the most advanced cybersecurity technology. Instead, it is educating his workforce. He recognizes that employees are the most vulnerable access point for a breach — and also works with his human resources department to incorporate cybersecurity education into employee on-boarding.
That’s a smart strategy. Companies need to focus on human behavior and make it the foundation for a reliable, powerful culture of security. Doing so will lead to an increased return on investment in technology by developing an educated and informed workforce.
Companies also need to recognize that a key component of security is resilience — and resilience does not mean rebuilding what you had, but learning from experiences so that you build into the future. Natural disasters provide a useful point of comparison. While the United States often rebuilds to the same specs as pre-disaster, the Dutch rebuild to withstand an event greater than the one that wreaked havoc in the first place. A similar approach should be taken for cyber events. Our public and private technology infrastructure — the digital highways of commerce — should be developed to withstand anticipated future threats and events, based on what you have learned from your breach.
Similarly, companies should measure cybersecurity success not just by the attacks they block. They should follow the lead set by a global financial company, where the head of information security recently told me that her main metric is not what her company prevents, but how effectively the company responds after a breach has occurred. Similar to the impact of natural disasters, the effects of a breach can play out over days, weeks, months, and years. Therefore, the effectiveness of a company’s response can be the difference between a demonstration of failure and a demonstration of preparedness, resilience,and success.
The good news is that companies have a growing awareness of the importance of their cybersecurity. But there is a still a long way to go and a clear need to invest more in cybersecurity training, education, and awareness of employees. Companies need to ensure that everyone understands how one simple human mistake can put the entire company at risk. Creating a culture of security should be a top corporate priority because cybersecurity is critical to the mission of every company.
Human behavior is the foundation for security. That message needs to be delivered — and acted on — not just this month, but every month.
Kiersten E. Todt is the managing director of The Cyber Readiness Institute and the former executive director of President Obama’s independent, bipartisan Commission on Enhancing National Cybersecurity. She has served in senior positions in the private sector and in the White House and U.S. Senate.