Cybersecurity awareness has become a significant concern for organizations worldwide as cyber-attacks continue to increase in frequency and sophistication. In a recent LinkedIn post, we shared a link to a video by Wallmart CISO, Ira Winkler, author of 'Security Awareness for Dummies' and 'You Can Stop Stupid', where he offers a fresh perspective on cybersecurity awareness and training. In this blog post, we will explore Winkler's insights and discuss how organizations can shift their approach to cybersecurity to better protect their systems and users.
"Building a safer cyber world: just as cars need car rails, so does your data."
Redefining Security Awareness
Winkler emphasizes that security awareness should focus on stopping user-initiated loss, which means minimizing the potential for human error rather than attempting to eliminate human stupidity. As he puts it, if the end-user is considered our last line of defense, the cybersecurity industry has failed.
The Human Firewall Myth
The concept of a human firewall suggests that users should be responsible for preventing cyber-attacks. However, Winkler argues that relying on humans as the last line of defense is a flawed approach. Instead of expecting users to spot hackers, the focus should be on teaching them how to do things correctly, such as reporting an incident.
Taking Lessons from Safety Science
Winkler recommends that the cybersecurity industry should learn from safety science, which has been reducing losses from system failures for decades. Safety science does not rely solely on humans; instead, it emphasizes creating an environment that minimizes harm.
Creating a Safer Environment
To create a safer environment in the context of cybersecurity, Winkler suggests several strategies:
1. Prevent users from being in a position of loss.
2. Remove certain decision-making abilities from users, such as automatically expiring externally shared documents over time.
3. Create a culture where people willingly use tools like password managers to share username and password information securely.
Rethinking Governance, Procedures, and Guidelines
Winkler argues that governance should go beyond merely having policies that are only reviewed when auditors come knocking. Instead, organizations should establish procedures and guidelines that provide users with step-by-step instructions on how to do things right.
Conclusion
Ira Winkler's thought-provoking talk on cybersecurity awareness and training challenges the status quo in the industry. By shifting the focus from eliminating human stupidity to minimizing user-initiated loss, organizations can create a safer environment that reduces the likelihood of cyber-attacks. Learning from safety science, rethinking governance, and implementing practical procedures and guidelines will help organizations achieve a more effective and secure approach to cybersecurity.
Key Takeaways:
Shift the focus of security awareness:
From eliminating human stupidity to minimizing user-initiated loss.
Strategy examples that focus on minimizing user initiated loss:
i. Optimize email security controles (spam filters, dns records, ..)
ii. Manage login credentials effectively with a password manager.
iii. Apply least-privilege to administrators and restrict unapproved software
iv. …
c. Validate user harm potential in your environment by asking these questions:
i. Do you restrict access to sensitive information and data only to those who need it?
ii. Are the files on your laptop hard drives secure, even if your laptop gets lost or stolen?
iii. Have you separated your computer network into smaller, more secure parts to revent hackers from moving from one part to another?
iv. Do you regularly train employees on how to recognize and avoid phishing scams?
v. Do you have a plan in place to quickly respond to and fix security problems?
vi. Are you using technology to block malicious emails and websites?
vii. Are you monitoring computer usage to spot unusual behavior and possible security problems?
viii. Are you blocking access to dangerous websites to prevent malware from being downloaded?
ix. Are you restricting access to the network to only those who need it?
Are you using software to monitor security events and alert you to potential problems?
1. Debunk the human firewall myth:
Relying on users as the last line of defense is a flawed approach.
Teach users how to do things correctly, like reporting incidents, instead of expecting them to spot hackers.
2. Learn from safety science:
Emphasize creating an environment that minimizes harm, rather than relying solely on humans.
Strategies for creating a safer environment:
3. Prevent users from being in a position of loss.
Remove certain decision-making abilities, such as automatically expiring externally shared documents.
Encourage the use of tools like password managers for secure sharing of username and password information.
4. Rethink governance, procedures, and guidelines:
Go beyond having policies that are only reviewed during audits.
Establish step-by-step instructions on how to do things right for users.
By implementing these takeaways, organizations can adopt a more effective and secure approach to cybersecurity, as suggested by Ira Winkler's thought-provoking talk.
Written by Davide Guglielmi