Navigating the Challenges of Human Vulnerability Management
Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing. Hey, everyone, and welcome back to another episode of Gone Phishing. I am your host, Connor Swalm, CEO at Phin Security, and I'm following on from the last episode I did, which was when I talked about why human vulnerability management should matter to everyone, why it's applicable to all of us, not.
Just me who likes talking about it a bunch.
And if you haven't seen that, I'd highly recommend you go take a look at that to give you a little bit of context to what we're going.
To talk about today.
Because one of the concepts that I.
Mentioned in the previous episode is, all right, great.
This doesn't sound like an incredibly complex thing to do to teach people to.
Recognize social engineering and prevent theft in their own lives and in their business. So what is the difficulty with actually building human vulnerability management programs and actually.
Helping people understand what's going on? And I have a couple of things. Some of them touch on psychology.
Some of them touch on human behavior.
Some of them touch on the world we exist in.
And, well, changing the world is, while.
The goal of many, it is incredibly hard.
So that's why things are the way they are sometimes. So first thing I'd like to mention about why is this so difficult? Why is it really difficult to teach people what's going on around them? Probably most obvious is we as people are typically set in our ways. The saying, well, it's always been done this way, exists for a reason. If people are used to doing certain.
Things, if they're used to interacting with.
Certain people in certain ways, then it's.
Very likely that they'll continue to act that way and to interact in that way.
So we as a group, at least here on the East coast in America, we are set in our ways.
We don't like to change.
Change is really hard in a lot of ways. And so it's very difficult to convince somebody, hey, the way you're acting, the way you're talking, the way you're interacting.
With yourself and others and your community and your business and your coworkers insert.
Any other group of people is creating risk. If you try to convince somebody that create the way they're acting and the.
Things that they're doing and the way.
They're saying it create the risk that.
Somebody is able to socially engineer them.
Out of their money, access, or information, they're typically kind of turned off to that whole concept. When I was in college studying math, and I tried to talk to people about the math that I was studying because I really enjoyed it. The conversation was over before it got started. I may have enjoyed it, I may like it incredibly, but I recognize that almost nobody else did. And their mother, their brother, their uncle.
Their friend they haven't talked to in, like, nine years will be calling them.
From the next room. Conversation will be open before it started. And I see a very similar thing happening in not only security awareness, but cybersecurity in general, is if our goal.
As practitioners is to communicate in such.
A way that the average employee or average folks, in terms of cybersecurity expertise and desire to learn about cybersecurity, if we'Re talking to them in such a way that they don't want to talk.
Back, we're at a loss.
We're already starting off on the wrong.
Foot, and we're not helping people change themselves. So that's the first thing that I see a lot, is we're creatures at people don't like to change. It's hard to do. So the second thing that I see.
Is specifically in my industry, which is.
Security awareness training, like training concepts on cybersecurity compliance has driven a lot of.
This industry so far.
And what I mean by that is teaching people to recognize social engineering, to recognize when they're transmitting and storing information improperly, to recognize when somebody else is.
Stealing company secrets or like insider threats.
Has pretty much been largely driven by.
Compliance frameworks like NIST 800 171.
There's now the invention of CMMC, and that's consistently changing.
Cyber insurance is now getting in there as well, and recommending and also enforcing, at the drawback of your policy, getting canceled.
If you don't do certain things, they'll cancel your policy. And so a lot of this industry, teaching people to recognize things, has been driven by frameworks that are very good at mandating compliance, but not 100% of the way there at creating incredible security. Now, in the same way I made.
This statement for the first time the other day, in the same way that.
The law here is supposed to be an approximation for morality, compliance is an approximation of security. It's not quite the best thing for every organization, but it is a great thing to aim for and start at.
It's a great starting point at the.
Very least when we're at a point where compliance has driven this, compliance has.
To factor in all sorts of vulnerability.
That companies are exposed to, whether that's the total amount of risk that they actually have.
Maybe they collect people's Social Security numbers, maybe a business collects people's Social Security.
Numbers or banking information, as opposed to.
Other people who might just have first and last names. The value of Social Security numbers and.
Banking information creates a much larger risk for that organization than just a list of first and last names as a result of the value of that information. In the open world, where people are.
Willing to buy things that have been.
Stolen, and then also all sorts of other things that go way beyond humans and organizations, such as the way the technology that they're using and how broadly.
Spread out they are, do they let people work from home? Do they have multiple office locations?
Do they lock their doors at night? All of these are typically factored at, like, physical security stuff, are all factored into compliance in most ways. If you want to get a SOC.
Two certifications, that's compliance.
It's kind of like a compliance framework that you have to be adherent to, but it's our best approximation for security.
And so what I mean by it's difficult building human vulnerability management is because.
This would be in a very specific.
Subset, which is humans and the way humans interact with each other and other technology.
Human vulnerability management focuses on just that one small piece, and that is a small piece of clients overall. And so convincing. I guess any governing body that we.
Need to focus on this incredibly small.
Subset of security issues is difficult at times. The third thing that I also talk about regularly, I'm actually giving several talks coming up later about this, is there is no built out framework for properly.
Identifying and then remediating vulnerabilities that humans demonstrate.
So to give you an example.
A vulnerability a human is going to.
Demonstrate is like the most pedantic example that's relevant here. People clicking on phishing emails.
So let's say there's somebody, your office manager is working, and they get an.
Email or a text message from the.
CEO saying, hey, I need you to.
Go buy credit cards.
Some of you may be laughing.
It's like, nobody would fall for that. I promise you, people do.
It still happens. They're still vulnerable to that kind of thing. And even a lot of my employees.
Are getting texts like that when they come on board. And so it's still something that is clearly resulting in actual people losing actual money. And I always bring this back to NIST. Has a framework for identifying and remediating vulnerabilities in technology and software. And you assess for threats, you validate they exist. You don't just pretend that they exist, you validate they're there. You prioritize the ones, you just validated existence. You remediate those prioritized threats, and then.
You verify the remediation occurred. So it's this five step process of.
Assess, validate, prioritize, remediate, and verify. That is a pretty well defined structure for identifying and fixing vulnerabilities that exist in security tools or businesses in general. I would like to take that model, those five steps and apply that to humans. And today we maybe have half of the first step, half of assess, right? Whether that's through onboarding employees by asking them security questionnaires or trying to phish.
Them and teach them what phishing looks like.
We have half of this assess step, but we don't then validate the individual risks that individual employees pose. We don't prioritize what we validated, and then as a result, we can't remediate nor verify remediation occurred. And so the difficulty in building human vulnerability management is we need to take.
A framework like the one I just identified, where it's built out and applied.
On a daily basis by thousands and thousands of organizations to identify real vulnerability in businesses. We need to take that and transplant.
It into the way we assess and.
Remediate vulnerabilities that humans demonstrate, whether that's improperly setting a password or not being willing to turn on MFA, or clicking.
On phishing emails, or letting people walk.
Through the front door who haven't quite.
Badged in or whatever.
It's tailgating, like holding the door open for somebody who's waiting outside.
There are people who are skilled enough.
At social engineering that they plan for.
Those kinds of things to happen. For those employees to think they're just.
Being nice and to wait by a.
Door with a box in their hands.
And say, hey, can you just hold.
That open for me real quick? But that represents a vulnerability in that person who left that door open, because.
What they should have done is.
Properly apply the organization's physical access rules, which.
Is everybody badges in or checks in.
With the front office or whatever it ends up being. There are all these vulnerabilities. So those are just a couple of reasons as to why it's so difficult. At the end of the day, we're identifying behaviors in humans, us, that we would like to change.
And how hard is it for you.
To change your own behavior, let alone.
Have somebody else change their behavior.
Right? If any of you have kids or significant other, it's like changing other people's.
Behavior is quite possibly one of the.
Hardest endeavors anyone will ever start trying to do. And so I'm not saying any of this is going to be easy, but the biggest difficulty in actually creating human vulnerability management is people need to change their behavior.
The only thing that actually reduces the.
Risk of a human involved breach, I don't know, whatever Verizon calls it these days, is actually if they change their behavior, and as a result, that risk no longer exists. So the only way to properly mitigate the risk is to remove their behavior and change it, which, as we just said, is incredibly difficult. So that is kind of the crux.
Of the issue, is getting people to change, let alone myself or anyone listening, is hard.
Getting others to change is even harder. And so, yeah, that's what I wanted to bring you all today. So we talked about what the difficulty.
Of human vulnerability management is today.
Talking track that I often get looped into is why should individuals care about this? Right?
Isn't this is a business thing?
And they got cyber insurance, they get.
All these fancy security tools and whatnot. Only businesses should care about this.
So actually, on our next episode, what.
I'd really like to do is explain why should individuals care about this?
Why should an average person? Maybe they work from home, maybe they.
Work for themselves, or maybe they work.
At a large organization.
What is your own behavior?
What is the risk that you are.
Introducing into your life?
Whether that's the risk of identity theft.
Or the risk of money getting stolen.
Or impersonation or anything like that.
You'Re introducing, and why should you care about changing some of your behaviors to.
Reduce your personal risk?
And I might have some things that you haven't quite thought of before, so I'd highly recommend you come check that out. But once again, I'm Connor, I am the CEO of Phin Security, and I am your host on gone Phishing. And I look forward to seeing all of you next time. Thanks so much for tuning in to gone phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin Security at Phinsec Io. That's P-H-I-N-S-E-C io. Or click all of the wonderful links in our show notes. Thanks for fishing with me today, and we'll see you next time.