[BreachExchange] Cybersecurity Is Not A Technology Problem

Destry Winant destry at riskbasedsecurity.com
Mon Oct 8 21:36:34 EDT 2018


Attacks against IT infrastructure use hardware and software to target
technology assets. The role of cybersecurity is to protect IT
infrastructure and the data stored on it. But a single-minded focus on
technology cannot solve the industry’s cybersecurity failings. The
real solution to the spate of data leaks and ransomware attacks we’ve
seen over the last year is human.

Cybersecurity is, first and foremost, a people problem. As an
industry, we know how to build secure platforms – secure
infrastructure is readily available and security best practices are
well understood. But many businesses fail because security isn’t a
fundamental concern. The worst security breaches and data thefts
aren’t caused primarily by failings in the technology, but by human
error. More and better technology isn’t the solution.

A few security breaches from just this year suffice to make the point.
In May, fitness app PumpUp leaked six million records that included
sensitive customer data. The records were stolen from a backend server
that was exposed to the internet with no password protection.

In March, Under Armour leaked data from 150 million accounts. The
company gained plaudits for disclosing and fixing the breach quickly,
but it later transpired that many of the leaked passwords were hashed
with the easily reversible SHA1 algorithm. Under Armour knew that this
was insecure – they had switched to a secure algorithm for newer
accounts, but the change was never applied to older accounts.

In April, Panera leaked the private data of millions of its customers.
The vulnerability was caused by an easily avoided error. Even worse,
it took Panera eight months to fix it, during which time innumerable
names, physical addresses, and birthdays were leaked.

Each of these breaches is technological, but the solutions are not.
The solutions must be human-centered because the problems are, at
root, caused by action or inaction within organizations.

It’s important to stress that human-focused responses to security
shouldn’t involve finding and blaming an individual. Employees make
decisions and implement processes within an organizational context. In
all likelihood, the developers and system administrators who “caused”
the security breaches discussed in these examples were aware of the
potential consequences. Yet, they were not motivated – or allowed – to
do anything about it.

Blaming an individual doesn’t solve the problem because it does
nothing to address the organizational shortcomings that allow an
unsecured server with sensitive data to be connected to the internet,
or that cause a business to leave a known vulnerability in place for
eight months. The only real solution to blunders of this type is to
give well-trained employees the freedom to speak out about security
issues and be taken seriously.

For some organizations, that requires leaders who are prepared to
change the incentive structure employees work under. It requires a
commitment to making security a fundamental goal of any project.
Businesses that choose not to make human-centered changes to their
approach to security consciously decide to put their users' data at

More information about the BreachExchange mailing list