Designing the future: Don’t fight human behaviour, embrace It!

Doing business today means doing so digitally. Although this brings us lots of advantages, it also introduces a wide range of threats. Malware, viruses, data leakage, denial-of-service attacks and more are all dangerous threats that businesses must defend against. Because of the critical importance of security, you might imagine that it would be sensible to take a conservative approach to new and emerging technology. But this thinking might also put your business at risk.

By continuing to use outdated technology, you expose your business to risk as vulnerabilities are well-known and quite often support is no longer available.

I spend time thinking carefully about how organisations big and small can protect themselves from cyber-threats and test the security of both their business software systems and its supporting infrastructure. The human factors associated with these are equally as important as the technology. I believe there is one thing that you can do to protect your business that is more important than any other: to wholeheartedly embrace new technology and digital transformation.

Allow me to explain.

The weakest link

Modern IT systems with their high-grade encryption and firewalls are, on-paper, fully secure when we trust what the vendors are telling us. But what this doesn’t account for is the potentially weakest link of all: people.

The problem - if you can call it that - is that people are smart, determined and innovative.

For example, insisting that employees use long, complicated passwords, and change them at regular intervals seems like a smart move. But any security benefits this might have will be undermined if the first thing the employee does after changing their password is write it down on a post-it note and stick it under their keyboard or on their monitor for the world to see.

Another example if I may -What if a corporate network imposes size limitations on email attachments? Again, in principle this might make sense for protecting the mail servers. End-users may not always consider the impact of their actions and do not have always the knowledge of how the underlying system works. We shouldn’t then be surprised when an employee needs to email a large PowerPoint presentation, rather than doing so in a controlled, IT-department approved process, they just open a web browser and send it using their own unrestricted personal email account instead.

Even worse, perhaps they might upload it to one of the many free web-based file sharing services, so they can email a link instead of the file itself. While convenient for the end-user, this creates a huge security problem.

  1. Your business process has introduced a new security problem
  2. The process has been circumvented unintentionally
  3. And you’ve lost control of your data in the process.

Once the file has been uploaded it may not be clear how long the file is kept by the file sharing service for, who has access to it in the meanwhile or ultimately what might be done with it. The upload service could be doing, well, anything, with your company’s most sensitive information. You just don’t know.

While you can block these websites when people are connected to your company network, users may have access easily when working from their home location or by dropping the VPN. Due to the current situation we are facing where governments advise everyone to work from home, the problem might be even bigger than we think.

Humans will be human

The lesson here should be simple. Although you can do a lot to create awareness, fighting against it is tough. Your people may be experts in their profession but not necessarily in the field of security. People are always going to look for the shortest route to achieve their goal and, in some cases, they might be really creative.

I have witnessed first-hand, even with our clients, IT departments which filter encrypted files (like a report containing PenTest findings) upon network ingress. The employees from these same organisations who consume our security services then request that we send our reports to their private email addresses, again circumventing a well-intentioned security measure. So if your corporate security makes work harder, people will find a way around it, whether you like it or not. Humans will be human.

On one level, the examples above of two common security threats might sound scary. But I think this is the wrong reaction. I think the “Shadow IT” challenge - that of employees finding their own solutions - is actually rather inspiring. They have identified problems - passwords being hard to remember and restrictive email attachments - and have used their own initiative to find solutions so that they can work more effectively. That’s exactly what you should want a brilliant employee to do.

The challenge for us, as security-conscious managers and leaders then, is to instead figure out how we can best support employees to use new ways of working while keeping the business’s data secure and private. We should ask ourselves what new and emerging technologies we can leverage to work both more effectively and more securely. Instead of insisting employees remember long passwords, perhaps we can roll out password managers and two factor authentication? Instead of restricting file sharing, could we offer a company-wide cloud storage that meets our security requirements? Is it possible to build in security so that it is completely frictionless and ubiquitous?

Just as we do not need to think to lock our car or bike, can processes be rebuilt so the same is true for our business-critical systems and the supporting infrastructure? This is the opportunity that digital transformation presents.

Taking a holistic view

What do I mean by digital transformation? To understand this, think about how any given company’s IT usage has evolved over the last 20 years. Perhaps the sales department was the first to fully digitise its processes. Maybe the human resources department has only recently gone fully digital. Maybe legal is only part of the way there today.

At no point in this evolution did anyone stop and ask fundamental questions about the business and how it operates in a world that is digital by default. How can business functions be organised to operate more effectively so that every process is better serving the people who must interact with it? And crucially from my perspective: How can the business make security a baked-in part of each and every business process?

Taking a digital transformation approach is taking this more holistic view and looking towards new and emerging technology to better meet these challenges.

The digital transformation opportunity

There’s a huge opportunity here. Research carried out in 2020 by BT and polling firm YouGov has showed that only 29% of businesses say they intend to adopt any of a range of next-generation technologies, from artificial intelligence and 5G to edge computing and blockchain, over the next five years. This is, I think, an alarmingly small proportion, given the security advantages firms could be missing out on.

For example, just 30% of businesses said they intend to upgrade to 5G, despite the much stronger security and encryption standards built into the technology.

What I found most surprising was that just 4% are open to exploring cloud-based “as-a-service” solutions, even though in many cases a specialised cloud service can be more secure than your on-premises solution. Why? Because while your IT team may be good at managing security roles for your office and deal with a variety of challenges all the time, for Cloud providers getting security right is essential to maintaining trust in their business.

They employ countless security specialists and are actively monitoring on a 24x7 basis and rigorously testing their entire infrastructure to an extent that would be nigh on impossible for small firms to match.

Next to this they undergo accreditation programs like ISO/IEC 27001 or ISO/IEC 27017 to give assurance to their customers that they have taken all necessary security measurements for delivering their services. The ISO/IEC 27017 accreditation program describes guidelines for information security controls for the provision and use of cloud services. It contains additional controls with implementation guidance that relate to secure delivery of cloud services. Always make sure your cloud service provider has successfully met and past the accreditation criteria. It is something the cloud service provider should be proud of.

More broadly, there are also plenty of specialist tools available such as managed security services that will manage your entire company network, and even smart firewalls that use the latest in artificial intelligence and machine learning to spot threats, which may not be perceptible to traditional firewall software. Discover how you can keep your network safe with managed firewall services.

The security barrier

There is an irony to the security benefits of digital transformation. According to that same survey, the top reason why some managers said they were reluctant to embrace new technology was concerns about - that’s right - security.

But in my view, there is a way to overcome this fear, and it goes back to the human element. If you can bring employees and stakeholders on the digital transformation journey along with you, you are not just creating a stronger business, but there is the opportunity to create and instil a culture of security in your people too. When this collaboration happens, though humans may still be human, you can remain confident that your business is serious about security.