Cybersecurity – it’s all about people, not tools

I’m a big fan of the Maori proverb 

He aha te mea nui o te ao? He Tangata, He Tangata, He Tangata. 

The translation of which, for those reading from overseas is 

“What is the most important thing in the world? It is people! It is people! It is people!

Look to any problem in business, in organisations or in society, and it boils down to the people, the people, the people. We spend so much time thinking about systems and processes and sometimes lose sight of the fact that these are tools built by and for people, and it is the people who determine whether those systems and processes do the right things and achieve the desired outcomes, or not.

I reflect on the He Tangata proverb often within the context of my technology work. After spending 15 years working in and around Silicon Valley, I’m perpetually surprised at how quick technologists are to introduce technologies, without any real consideration for the people who are going to use said technology.

Indeed, most of the work I’ve done with technology companies over the years has revolved around articulating what they do in a language that regular people can understand. Don’t get me wrong, it’s not binary. People need to learn to be adaptable and to make the most of the benefits that new technologies bring. At the same time, however, technology shouldn’t force people to develop inefficiencies in their day. And it shouldn’t be seen as the solution to people-centred issues.

Anyway, I’ve been thinking about the issues around He Tangata in the context of the recent cybersecurity breach within the Waikato District Health Board. Subsequent to the breach, I’ve seen a number of angst-ridden opinion pieces, critiquing the DHB itself and the Ministry of Health for not investing sufficient dollars in this or what cybersecurity platform of choice. It seems the authors of these aforementioned thought pieces think that tools are the ultimate panacea for cybersecurity threats.

Here’s a challenge for readers: take any large-scale IT security breach from the past decade and read up on it. Peel back the layers about incorrectly-setup filters and sub-par heuristics and what do you have? I’d wager that what you have is a situation where people are the biggest cybersecurity risk and the most likely vector for where breaches can occur.

Let’s face it – cybersecurity vendors may have millions of dollars of investment, but the financial reward for dodgy hackers is even greater, meaning that we’re facing a cybersecurity arms race that is continuously accelerating. Given the massive amounts of money that hackers invest in sourcing their ill-gotten gains, where is the best place to spend money?

Again, He Tangata, He Tangata, He Tangata.

Train your people to understand what best practice looks like. Train their eyes to be suspicious of emails asking them to change their passwords, log in to their internet banking or download some random file. Ensure they don’t *cough* write their passwords down on Post It notes and stick them to their PC monitor where they’re easy to see. Ensure they use strong passwords and, where appropriate, aid them in that quest by paying for one of the many password manager options that exist.

Of course, investing in the techy stuff like firewalls, virus blockers and the like is important, but it’s all for naught if you leave the proverbial keys in the lock.

Cybersecurity, there’s lots about it that are mind-crushingly complex, but at the same time parts of it are very simple.

He Tangata, He Tangata, He Tangata.