To err is "human", but the consequences are not divine!

As the world keeps adjusting to a new normal because of the pandemic we have also started to accelerate on the transformation to the new digital normal in enterprises across the world. Cloud adoption has started to increase exponentially because of what Covid19 has taught us - how an unseen enemy can bring humanity down to its knees. Amidst the tsunami of digitization and cloud adoption and the pandemic on a rampage, ravaging the health of millions and the world economy, it still comes down to human decision making, that makes the difference between make or break. The human decision that is affected by a myriad of parameters viz. data, projections, rationale, reasoning, emotions, empathy etc. These decisions can be lifesaving or flat out utterly destructive and we have seen both in recent times.

The necessity to use data, facts and scientific analysis and conclusions to aid decisions is well known and well accepted but many leaders lack the ability to do so and steer their team on whims and fancies!

The human element is key and is in the center of all this chaos! Similarly, the root cause of Cybersecurity issues in the world is the Human Element!

Disgruntled employee, Malicious actor, Script Kiddie, Hacktivist, State sponsored attackers, successful social engineering attack, weak software with vulnerabilities – these are all connected to the human element, to human emotions, to human weaknesses. It is extremely important to recognize this, internalize this and institutionalize Security Programs that address this. Most Security Awareness trainings are just a check in the box trainings for most employees. Making these trainings interactive, challenging, and desirable has been the goal for a while now. There are some very good trainings out there now. You could employ various Security Defense Strategies viz.  Defense In Depth, the Zero Trust model, Micro-Network Segmentation, Excellent Perimeter security, End Point Detection and Prevention systems and even AI / ML assisted systems and Honeypots but if just one of your employees falls prey to a phishing attack or a social engineering attack or becomes a malicious insider, or even commits a heinous crime like not changing the default admin password, you are done for!!

The weakest link in the chain is the human link! As much as companies spend on technology, they also need to spend on people and processes. The triad of People, Process and Technology  is great but not enough. There needs to be a 4th side to that pyramid – “Awareness”

People - (the Doers’) should know what to do

Process - how to do (the methodology)

Technology – What tool to do it with

and last but not the least,

Awareness - What NOT to do and How NOT to do!!

It is just APPT (Awareness, People, Process, Technology)!!

Securing the human element is a bigger challenge than you can imagine! A pure rational approach is not going to cut it. It needs a combination of excellent technical controls, processes blended with good employee friendly efforts. When each of your employee considers themselves to be a stakeholder in the company and by extension, a stakeholder in the security of the company you will be better off than most companies. This approach should help you keep employees from being a potential malicious insider but then how are you going to handle the careless or the unaware employee? For eg: leaving the password on a POST IT note under the keyboard or the naivety of clicking on a phishing link to receive a million dollars from a Nigerian prince!

Probably micro-segmentation and End Point Security might come to the rescue there. If you have AI and ML engine-based agents running on the End Points, that might help fortify them further to understand usage patterns of the individual and the system. This might still not eliminate potential issues rising from a careless end user, but it might help with the stemming of a potential outbreak but not a premeditated, well thought out, Advanced Persistent Attack.

Its been said a million times before - there is no 100% Security! In Cybersecurity -

To err is "human", but the consequences are not divine!