We say it all the time in this industry: “People are the biggest security risk in your organization.” What is sometimes missed in that is a good understanding of why. Let me start by giving you a hint, it is not because your employees are unintelligent or incapable or don’t care. It’s because they are so darn smart and amazing.
Wait, what?
Let me tell you a story
Bear with me a minute and let me tell you a story. Many of us remember when the famous Jeopardy champion Ken Jennings lost a game to IBM’s Watson computer. And Watson didn’t just win, Watson crushed both Jennings and Brad Rutter (the highest-grossing winner in Jeopardy history) by more than triple their scores. And the headlines crowed about how computers were now as smart as Jeopardy champions. Jennings even jokingly welcomed “our new computer overlords.” But the truth is that is only half of the story.
When asked about the momentous occasion, an individual--I don’t recall exactly who it was, may have even been Alex Trebek-- noted that while Watson had won at Jeopardy, Jennings went home afterward and did his laundry. What was meant by that statement is that Watson was a purpose-built machine with one goal in mind and capable of one thing. The game wasn’t even played in the Jeopardy studios because there was no way to get Watson on the set! Meanwhile, Jennings and Rutter, bested at Jeopardy, as so beautifully put by Walt Whitman, still contained multitudes.1
Understanding people
What does any of this have to do with your security? Well, it has everything to do with Ken Jennings’ laundry. You see computers have two big advantages over people. They are fast and, compared to making a person, they are cheap.2 But human beings have big advantages too. Most notably, just consider your own life and the incredible diversity of things that you have done and can do. You are a remarkable creation. And it is presumably why your company had the good wisdom to hire you. What’s more, what you do today may have very little to do with what you have done in the past. You are a transformative creation. These facts are true of every employee.
But it is also true of every hacker, good or evil. Computers and software are for the most part simply much more predictable than people. That diversity of skills and innate creativity that you use to get the most out of your employees is exactly what hackers can exploit. And hackers exploit these attributes by being equally diverse in their skill set and creative in their approach.
The (human) race
So, we are aware that our firewalls, log monitoring, anti-virus/anti-malware and other tools are always upgrading just as the hardware and software available to hackers is in turn upgrading in a seemingly endless race. The truth is the same race exists for our social responses. Sure, people still occasionally get conned by a desperate Nigerian prince, but in general we know better now, though regular reminders still don’t hurt. This particular scam is hundreds of years old and even the Nigerian variant first saw its heyday on paper in the 1980s. It flourished in the early days of email in the 1990s. And “advance-fee” scams as they are properly known have now spread to social media. With each new iteration, we have to advise a new generation as well as update awareness for everyone who remembers the last.
Although this is the most basic of scams, the truth is all scams rely on the very qualities that still differentiate people from computers. When a person is sitting at their desk, they are not limited to the purposes for which they were originally brought on to do that job, but bring with them all the diversity of ability that makes them human. And if they didn’t, we would just build a machine to do the work. Remember when things are equal, the machines are cheaper and faster. A person brings with them compassion, pettiness, the ability to daydream and much more. These things are the root of what makes people successful. But this is also what allows hackers to come up with new ways to exploit those tendencies.
What is to be done?
If the problem is that we keep hiring people who are creative and innovative and capable of much more than clearly defined tasks, the solution cannot possibly be to try and hire the least creative people we can find. And before anyone objects that we just need to make sure we hire smart people, here’s a quick list of just a few very smart people who have been the victims of social hacking:
- Jeff Bezos
- Kevin Bacon
- Elie Wiesel
- Martha Stewart
What we can do is give people more information. Or even better, use the same features that the evil hackers are using. We hire multi-talented creative thinkers and evil hackers use those abilities against the very people we hired to exploit our organization. Our move. So, we develop and implement a program that recognizes these very same talents, the flexibility of the human brain. We don’t just tell our employees not to respond to emails from Nigerian princes, instead we teach them how to be resilient to all kinds of attacks, to empower their “spidey-senses,” as it were. The best such programs are built by specialists to match the particular people and features of your organization and environment because the point is not to come up with a top ten list of things to avoid on the internet. The truth is there are dozens of videos out there that talk about security awareness and for the most part they do not help much and some even can cause harm. The point is to give your people and your organization the ability to morph to changes in social hacking before they happen, not just alert them to what has come in the past. That is, after all, what people are particularly good at. Adaptation is at the heart of the human competitive advantage over machines.
But the computers matter too
Lest the computers start feeling bad, rest assured, you still need that multi-tiered security infrastructure of purpose-built machines with their own ability to respond in their own way to the new and unexpected that evil hackers throw at your environment. The truth is that as long as you have people and as long as you have machines, then you will need both people-based and machine-based ways of dealing with the bad guys. But if anyone comes along and says they have a machine that will do everything, well, they’re just selling you something.
