Where there’s friction, you’ll find subversion

Welcome to the new 616 cyber warriors who joined us last week. ?? Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA23 keynote stage.

This week we’re focused on…??

How an organisation’s employees can put overall security at risk.?

Why??

Because at #BHMEA22, Lothar Renner (Managing Director, Security, at Cisco EMEA) said:?

“If security is giving you a hurdle, a burden, so you cannot do your work – what do you try to do? You try to get around it.”

It’s an unfortunate truth: cybersecurity protocols and tools often increase friction for employees, having a negative impact on their user experience (UX) and causing frustration. When security slows you up and makes it harder to do your job, you feel annoyed – and then you’re less likely to follow your employer’s security guidelines and rules.?

Is this backed up by research??

Yep.???

• A survey of more than 5,000 businesses around the world, by Kaspersky Lab and B2B International found that 52% of businesses believe they’re “at risk from within”.
• Uninformed or careless staff were found to be the second most likely cause of a major security breach (with malware being the most likely cause).
• In 2020, America’s National Science Foundation asked 330+ remote workers across a range of industries to report on their stress levels each day over a two week period, and their adherence to cybersecurity policies in the same timeframe. A worrying 67% said they failed to completely comply with cybersecurity policies at least once, with the average failure-to-comply rate being “once out of every 20 job tasks.”
• The same study found that approximately 18% of violations by employees were motivated by a desire to help a coworker. This is particularly interesting when you acknowledge that threat actors often use people’s desire to help others as part of social engineering tactics to drive them to break the rules.?

??And when it comes to employee compliance, the threat landscape is growing in unexpected ways

Analysis at the beginning of this year by Cyberhaven found that 11% of the data employees paste into ChatGPT is confidential. Since then, there’s been an explosion in the number of AI tools easily available to employees, and more and more people are using generative AI to help them at work – so the volumes of confidential data inputs could be significantly higher by now.?

If an employee entered information from your company’s confidential strategy document into a generative AI tool, for example, because they wanted to rewrite that information for an internal report, then if somebody else later asked that tool a question like:?

“What are [your company’s] key strategic objectives this year?”?

Then the AI could respond with the confidential information entered by your employee.

It’s increasingly important that organisations include generative AI protocol in their overall security guidelines – and yet even if they do, without truly effective employee awareness initiatives, the ease of using AI to produce work could incentivise them to use it even if they’ve been told they shouldn’t.?

People don’t like friction. People do like tools that make their work easier.???

Do you ever try to get around your organisation’s security policies?

1. Yes, sometimes vote

2. No – because I work in security, so I know why the policies exist vote

Is Zero Trust the answer?

Quite possibly.?

As Renner put it, “Zero Trust is not a buzzword that will go away.”?

But Zero Trust frameworks must be implemented in a way that gets everyone on board. Pilot projects should show employees that Zero Trust isn’t designed to get in the way of their work and make their lives difficult. And everyone should understand why the framework is important – and the kinds of attacks that it could prevent.?

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message at [email protected] and share your thoughts. Our next newsletter is scheduled for 22 November 2023.

P.S. - Mark your calendars for the return of Black Hat MEA from ?? 05 - 07 November 2023. Want to be a part of the action? Register here