The Human Point Of Cyber Security

Who knows your employees better: Google, Facebook, the NSA, or you?

That's the view of Matthew Moynahan, CEO of Forcepoint, who spoke to me recently about the company's human-centric approach to security, which they've code-named The Human Point.

Twee marketing buzzphrases aside, Moynahan's point is well made: while security vulnerabilities in IT systems themselves certainly exist, they're put there by the humans writing the code. The vulnerabilities are a problem largely because other humans seek to exploit them to nefarious ends. And your human employees are a vital link in being able to exploit these vulnerabilities. Clicking on a link in an email that starts the exploitation process (known as phishing in the colorful InfoSec jargon) requires a human being to take action.

And so it makes a certain sense to keep an eye on people to see if they are inadvertently—or deliberately—creating security risks for your organisation. Companies such as Splunk have added behavioural monitoring to their offerings since already collect so much information on what's happening inside organisations.

But there's also a creepy angle to this concept of “knowing your employees”. The reason Google and Facebook know so much about you is that they track your every move while you browse for shoes, share your personal photos and chitchat with friends and family. They do this so they can show you ads, and yet for all their alleged abilities at machine learning and AI, they still seem to think that I need another five sofas to go with the one I just bought.

That's amusing, but imagine this kind of false-positive inside your organisation. The computer says people like you are most prone to clicking on phishing links, so we won't hire you or put you in charge of that sensitive project. You fell for a phish once, so clearly you'll do it again the next eight times (despite plenty of evidence [PDF] that employees can be trained not to click on nefarious links).

There are also different attitudes to privacy throughout the world, and not everywhere do people agree that watching your employee's every move is an acceptable way to run a business. The US-EU Safe Harbour Framework highlights the challenge.

Yet companies do need to protect themselves from employees who “go rogue”. It could be a sysadmin who trashes the network using credentials they are entitled to have. It could be employees who pilfer trade secrets and take them to competitors, as Google is alleging in its lawsuit against Uber.

Technical tools like Data Leakage Prevention software can help to detect when someone is clearly breaking the rules and either mistakenly emailing credit card data out of the organisation, or trying to make off with intellectual property they're not entitled to. Alas, these systems aren't foolproof. It's even harder to tell if a usually trustworthy employee suddenly decides to abscond with internal data or break things.

I worry that a heavy-handed, tool-centric approach to managing these issues could result in organisations building an omnipresent Panopticon that treats every employee as a potential threat first and foremost. Remember that the people in charge of these systems are also human and prone to moral weakness. Qui costodiet custodes?

Forcepoint is sensitive to this challenge. “Most people want to do good,” says Moynahan. “Sometimes they accidentally do the wrong thing. How do you help that individual from making that mistake?”

Helping prevent problems, and getting out of the way the rest of the time when people just want to do their job, is the big challenge for modern security efforts. The range of security threats is large, and the sophistication of attackers is increasing rapidly.

Human behaviour, which changes slowly—if at all—may well be the key to creating a highly secure environment, even if perfection remains an impossible goal.

You can listen to the full conversation with Matthew Moynahan on Episode 23 of my podcast The Eigencast here.

This article first appeared in Forbes.com here.