Cybersecurity: How a new approach could dramatically boost protection
A "people-centric approach" could be the key to dramatically boosting a business's cybersecurity, experts in the field explained this week.
While the internet continues to grow its influence on most aspects of our lives, the amount of cyber dangers also expands without end in sight. Our online lives are targeted by criminals and governments wishing to do each other harm. Addressing the very real risks cyberspace poses to average people and businesses has become a hot topic.
One of the world’s most important tech gatherings, CES 2023, highlighted this issue in a panel with cybersecurity experts titled “Rethinking Security — A People-Focused Cyber Strategy,” moderated by Hank Thomas, CEO of Strategic Cyber Ventures.
Among the participants was Carole House, Executive in Residence at Terranet Ventures, a firm that focuses on investments in technologies with national security applications. Carole’s background includes work in digital identity and cryptocurrency at the National Security Council of The White House.
Steve Thomas, technical founder and CEO of startup HackNotice, a “threat-awareness” company, and Timothy Youngblood, Chief Security Officer with T-Mobile, rounded out the group.
The people-centric approach
Carole House explained at CES 2023 about the “people-centric approach” she took while working in the White House. One aspect of it included deterrence of “illicit actors,” the cyber criminals, through an anti-ransom campaign. They also looked at the people who suffer from cyber crimes — victims of fraud and ransom-ware. The focus was on vulnerabilities and how people were being targeted. One particular accomplishment House shared was elevating cyber crime as a national security imperative.
Tim Youngblood called security “a people business.” In his work at T-Mobile, he’s done “persona-based training” which is focused on how people are trained in their spaces and how security affects their daily lives. This involves educating field technicians, executive assistants, store clerks and other positions about the particular security challenges of their jobs. The training is based on assessing and quantifying potential risks, instructing people in the most relevant issues they need to know about currently.
The trained personnel is then constantly tested through methods like staged phishing attacks to make sure they stay alert to the possible threats. Youngblood shared they carried 160,000 phishing campaigns in 2022, testing every person at T-Mobile, providing real-time teaching moments to the staff. While ones who fell for the attacks were trained to avoid them in the future, Youngblood also shared the importance of providing a platform for rewarding those who avoided security mistakes.
Steve Thomas agreed that training was important, but most education companies produce generic content and don’t convey the message to employees that cybersecurity is part of their job. To remedy this “perception problem,” he founded the company HackNotice, with the intent of making people understand that security is their responsibility because they themselves are being targeted by hackers.
“Every one single person here and watching online is a target for hackers, “ pointed out Thomas, adding that hackers are constantly trying to gather data about you online, looking to commit fraud and steal your identity, then eventually break into the company you work for.
The training provided by HackNotice changes people’s behaviors by using real-world events and scenarios to show how they are personally impacted. The goal is to make them proactive in security measures.
Cyber security vital for businesses
Carole House stressed that there has been recognition by businesses that cybersecurity is a crucial issue — it will keep them in business for longer. Tim Youngblood shared email and ransomware attacks are up 90 percent in certain industries, bringing criminals money. So they aren’t likely to stop. “All I know companies are that have been breached and those they don’t know they’ve been breached yet,” he quipped. Among security measures he advocated were multifactor authorization, authenticator mobile apps, updating passwords, and using password managers.
“Building the culture of security” is the goal for employers, explained Steve Thomas, as he described the work of his company HackNotice. They try to provide a bridge between the security team and employees, changing the business’s culture.
“Treat the internet with a healthy amount of regard or suspicion,” warned Thomas, advocating for people to start thinking of the net as a dangerous place. On the other hand, he cautioned against treating employees with suspicion — they need to feel a part of the team and take on the distributed responsibilities for security together.
Norman Wagner from the University of Delaware tells Interesting Engineering about the challenges of making extraterrestrial cement for off-space infrastructure.