The Human Point Of Cyber Security


Who knows your employees better: Google, Facebook, the NSA, or you?

That’s the view of Matthew Moynahan, CEO of Forcepoint, who spoke to me recently about the company’s human-centric approach to security, which they’ve code-named The Human Point.

Twee marketing buzzphrases aside, Moynahan’s point is well made: while security vulnerabilities in IT systems themselves certainly exist, they’re put there by the humans writing the code. The vulnerabilities are a problem largely because other humans seek to exploit them to nefarious ends. And your human employees are a vital link in being able to exploit these vulnerabilities. Clicking on a link in an email that starts the exploitation process (known as phishing in the colorful InfoSec jargon) requires a human being to take action.

And so it makes a certain sense to keep an eye on people to see if they are inadvertently—or deliberately—creating security risks for your organisation. Companies such as Splunk have added behavioural monitoring to their offerings since already collect so much information on what’s happening inside organisations.

But there’s also a creepy angle to this concept of “knowing your employees”. The reason Google and Facebook know so much about you is that they track your every move while you browse for shoes, share your personal photos and chitchat with friends and family. They do this so they can show you ads, and yet for all their alleged abilities at machine learning and AI, they still seem to think that I need another five sofas to go with the one I just bought.

That’s amusing, but imagine this kind of false-positive inside your organisation. The computer says people like you are most prone to clicking on phishing links, so we won’t hire you or put you in charge of that sensitive project. You fell for a phish once, so clearly you’ll do it again the next eight times (despite plenty of evidence [PDF] that employees can be trained not to click on nefarious links).

There are also different attitudes to privacy throughout the world, and not everywhere do people agree that watching your employee’s every move is an acceptable way to run a business. The US-EU Safe Harbour Framework highlights the challenge.

Yet companies do need to protect themselves from employees who “go rogue”. It could be a sysadmin who trashes the network using credentials they are entitled to have. It could be employees who pilfer trade secrets and take them to competitors, as Google is alleging in its lawsuit against Uber.