Harvard Business Review recently published a very insightful piece I highly recommend you read in its entirety called “Cybersecurity’s Human Factor: Lessons from the Pentagon” .
For those of you who just want the highlights, here is a quick synopsis of what I found to be the most fascinating aspects of the article.
From Bumbling Colossus to Nimble Defender
In the not-so-long-ago dark days of network security, the US military struggled to identify and defend against threats. All that has changed and from September 2014 to June 2015 the military rebuffed 30 million malicious attacks! Still a few got through but only 0.1% compromised systems in any way. An impressive record given the State sponsored adversaries the military must repel day in and day out.
While technical fortifications are important, what has really set the military on its trajectory to invulnerability has been its focus on eliminating human error. If you have read this blog for any length of time you know that we consistently emphasize not only the best technology but also the best in processes for this very reason.
Learning from the Admiral Himself
The US Navy Nuclear program has long been the quintessential example of a well-run, mistake free organization, what is nowadays referred to as an HRO or High Reliability Organization. The fundamental principles of the Navy Nuke program have since been transferred to other industries such as airlines, air traffic control, space flight and others. Admiral Hyman Rickover, the “Father of the Nuclear Navy” demanded excellence and adherence to process and for the span of his career personally interviewed all applying Officer Candidates.
Six Principles Every Organization Should Adopt to Ensure Security
1. Integrity – Never depart from protocols and report errors immediately
2. Depth of Knowledge – Fully understand the system’s you are responsible and their vulnerabilities
3. Procedural Compliance – Follow protocols to the letter
4. Forceful Backup – All critical activities should be closely monitored
5. A questioning Attitude – While unquestioning compliance to procedure is necessary questioning things that appear outside of the norm is equally important
6. Formality in Communication – Familiarity and slang lead to miscommunication, Formality in communication eliminates these misunderstandings.
Examples of Cyber Security Failures and the Policies that Were Violated
What the authors have found is that Cybersecurity breaches caused by human mistakes nearly always involve the violation of one or more of these six principles. As you read them you will undoubtedly recognize some of the same behaviors in your own organization or at least easily imagine that they might very well be happening without your knowledge.
Here’s a sample of some the Defense Department uncovered during routine testing exercises:
- A polite headquarters staff officer held the door for another officer, who was really an intruder carrying a fake identification card. Once inside, the intruder could have installed malware on the organization’s network. Principles violated: procedural compliance and a questioning attitude.
- A system administrator, surfing the web from his elevated account, which had fewer automatic restrictions, downloaded a popular video clip that was “viral” in more ways than one. Principles violated: integrity and procedural compliance.
- A staff officer clicked on a link in an e-mail promising discounts for online purchases, which was actually an attempt by the testers to plant a phishing back door on her workstation. Principles violated: a questioning attitude, depth of knowledge, and procedural compliance.
- A new network administrator installed an update without reading the implementation guide and with no supervision. As a result, previous security upgrades were “unpatched.” Principles violated: depth of knowledge, procedural compliance, and forceful backup.
- A network help desk reset a connection in an office without investigating why the connection had been deactivated in the first place—even though the reason might have been an automated shutdown to prevent the connection of an unauthorized computer or user. Principles violated: procedural compliance and a questioning attitude.
A Holistic Approach
At Konsultek we don’t just slap in “black boxes” and hope that security happens. Sure we build custom technical solutions that utilize the best technology available, but we also work outside the IT department to make sure that the business processes are in place to limit the impact of human error on the security of your information and network. If you are looking to upgrade your security, give us a call and begin a dialogue with us.