The impact of human behavior on security

People should be the last thing in charge of cybersecurity. Remove people and add transparency and automation for true protection.

fail frustration laptop user head desk
Thinkstock

I recently saw an ad that read, “Security starts with people,” and it gave me pause. After twenty years in security, I’ve learned that security problems typically start with people, and having them responsible for implementing it is usually a bad idea. Hear me out.

It’s human nature to be efficient – find the easiest and fastest way to accomplish a task – and that’s often at odds with what needs to be done to keep data and files secure. There are hundreds of productivity hack articles preaching efficiency as we all try to multitask ourselves to death. But when it comes to data security, shortcuts are too risky. And that risk isn’t worth taking in today’s cyber-insecure world; there’s just too much at stake for both companies and consumers.

Removing people from the equation entirely and adding transparency and automation is the only effective way to truly protect and prevent data leaks and ensure you’re in compliance. There is simply no other solution. But how can that be done? Most data security solutions on the market let people decide which files to protect and encrypt and which to omit. My suggestion: do the opposite and protect them all. By securing everything – only allowing administrators and privileged users to selectively opt out of specific files – it protects enterprises from both internal and external threats without altering the way users collaborate, share and use files. It’s a new approach for a changing world.

Here are four reasons why people should not be in charge of cybersecurity.

1. The world is just too dangerous

Unfortunately, we live in a Zero Trust world, and we don’t know when and where the next breach will happen. It’s impossible to know today what data may be important in the future, and it’s too risky to leave it to users to guess. In this environment, you can’t count on user involvement to keep the data safe. And, you need to take into account the way data is really used and shared across devices, in and out of the office.

When it comes to effective data security, the most successful solutions are transparent. They work in the background and provide automated, non-disruptive protection of assets.

2. Manual methods can’t keep up

If you use manual methods to decide what needs to be classified or protected, it would never work – it just couldn’t scale. There is so much data being created, so that even if a very high percentage of it is manually protected, there would still be a huge amount of unprotected data – putting your firm at risk for data security and compliance.  

Additionally, to keep things secure, everything needs to be logged.  A technology solution would automatically log all the data for reporting and auditing purposes, and also enables security orchestration tools to take immediate action based on any risks uncovered in the logs.

For example, if an unknown process is trying to open Microsoft Word files at a very high rate, say 10 files per minute.  This is probably a virus.  With automation, an orchestration tool can immediately launch an antivirus scan on the device.

3. Too much sharing is hard to manage

Security needs to start when and where the content is created.  There are too many workflows and alternative ways for content to be shared, edited and stored, especially with the proliferation of devices used today and the amount of content generated in the cloud.  As consumer cloud services and new devices push into the enterprise, the task of tracking and managing unstructured data becomes increasingly challenging.

It’s easy for secure data to be passed on inadvertently. An employee might copy some financial data to include in a report, or information on a potential acquisition from a secure document to include in a PowerPoint to management. Once this information leaves the protection of a secured file into another document, it’s no longer protected. Protecting derivative works wherever they end up is a major undertaking that requires a centralized and automated approach.

Trying to retroactively go back and find where sensitive information exists is too hard, too time consuming – and just doesn’t work. By only protecting data on egress from the network, it opens up possibilities for risk. On the other hand, a truly secure solution protects data at all times and works best when it begins at the source.

4. Some data breaches are intentional

According to an Intel study, 43 percent of data breaches are caused internally – either inadvertently or accidentally, or intentionally. While it may be uncomfortable to think about, disgruntled employees can wreak havoc with an organization’s security.

While people are certainly an important aspect of data security and serve as critical administrators, they cannot serve as the be-all-end-all. Human behavior has proven that we choose to take the easy road, cut corners and make mistakes. We’re only human. But when it comes to critical data, maintaining intellectual property, staying in compliance, sensitive information and brand reputation are just too important. We can’t afford to make mistakes.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.