Is "Vasya" always to blame: debunking myths about the human factor in information security

From leaks of confidential data to large-scale hacker attacks - in many incidents, insiders played a key role, using their official powers to harm employers. The guilty have been found and punished, the case is closed. But is the question of guilt so clear-cut in these cases? Can patterns be found in these stories?
Indeed, the statistics are impressive: starting with the scandal with Anthem Inc., where 78 million personal data of clients were stolen by an IT department employee, and ending with the hacking of the systems of Russian government agencies, - in all these stories, guilty insiders sentenced to significant prison terms are involved.

But in the investigation of such cases, a whole range of factors that could influence the behavior of the employee and ultimately provoke him to illegal actions are often overlooked. And, most importantly, these factors are usually hidden within the organizations themselves: in their hiring, control, and personnel motivation systems.

Stanislav Karpovich, Deputy Director of the "Cyberpolygon" Department for Business Development, in a new material tried to dispel several myths about the human factor in cybersecurity.

Myth one: "Hardware" is more important than people

By the end of 2023, the total amount of damage from incidents related to information security breaches amounted to about 156 billion rubles. The internal violator factor prevails in incidents related to information leaks due to the deliberate actions of insiders. As cyber incident investigations show, many organizations lack monitoring of their employees' activities, which allows insiders to steal data for years without fear of exposure. The average damage from one information leak for Russian organizations in 2023 amounted to about 5.5 million rubles, and there may be several such incidents during the year.

To reduce such risks, entire classes of information security solutions have been developed. First of all, these are DLP systems that prevent data leakage risks, IdM class solutions for managing accounts and access rights, and PAM systems for controlling privileged users. These solutions reduce risks due to internal attackers but are not able to counteract social engineering methods to which an ordinary person is susceptible.

And when such a "weak link" still falls for the tricks of hackers, it is he who is declared guilty, although the root cause lies deeper - the insufficient level of cyber literacy of company employees and the low level of investment in Security Awareness programs and the training of cyber defense teams.

The question is not whether cybercriminals will be able to lure an employee to the "dark" side, they will. The question is the amount of resources that will be required for this and the amount of potential damage they will be able to cause.

Companies easily allocate billion-dollar budgets for hardware and software, but avoid a systematic approach to developing their employees' skills. And there are practically no such automated solutions on the market. The circle is closed. What is necessary is that the market has formed a demand for systems to control and develop employees, which will strengthen information security measures.

Myth two: we check everyone thoroughly

A recent case of the American company KnowBe4, which accidentally hired a hacker from North Korea, is quite indicative. The "candidate" successfully passed four stages of video interviews, and the candidate did not arouse suspicion at any stage. On the first day, having received a work Mac, the new employee began to upload malicious software, this manipulation was stopped by the security operations center (SOC). As further investigation showed, the "employee" was physically located in North Korea and connected to the work device through a "laptop farm" using a virtual private network.

Yes, a case of this scale is rare, but in general, the hiring process remains one of the narrowest places. In an effort to fill vacancies as quickly as possible, HR services sometimes neglect a thorough check of the candidate's biography and track record. As a result, people with a compromising past can come to key positions, who subsequently become the cause of serious incidents.

In the near future, the crisis in the labor market will only intensify. Already now we are observing the trend of "offer in one day" with the motivation: "if we do not send the offer, others will, and this position has been open for us for six months." Therefore, it is unlikely that the check in the current format will remain an effective barrier for unreliable candidates.

Myth three: the "scapegoat" is always to blame

Finally, one cannot discount the personal motives of insiders - from financial difficulties to revenge on the employer. One of the motives may be banal burnout, dissatisfaction with current tasks, the atmosphere in the company, personal conflicts with employees in similar positions or top management.

Thus, three former employees of the US Department of Homeland Security stole the personal data of hundreds of thousands of civil servants. Murali Venkata, Charles Edwards, and Sonal Patel were convicted of conspiracy to steal. According to the investigation, the data of more than 200 thousand people were at risk. In addition, the criminals were going to develop their own commercial system to sell it back to the feds, for this they stole government software.

However, the question here is why the employees found themselves in such a situation and why the organization was unable to identify and prevent it in time? Of course, there are ways to reduce the number of such incidents due to the fault of the employee, but it is much more important that people themselves correctly assess their own risks and the potential damage from their actions.

Myth four: our information security department is invulnerable

Since 2022, we have been conducting regular cyber exercises for information security engineers, SOC center analysts, and incident response experts. The demand for them is growing every year, as are the requirements for their qualifications at the entry and during the work process.

Until 2022, international certification systems were very significant for assessing the skills of candidates and employees, but after the departure of international certification centers from Russia, the possibility of practical verification of competencies at a similar level did not develop. But even the certification system did not provide an understanding of what relevant knowledge and skills an employee possesses, as the requirements for qualifications are constantly growing and they grow non-linearly, but in bursts.

Since 2020, we have conducted more than 300 cyber exercises for 5000 employees of companies and government organizations. And we can highlight two trends that we observe in the professional community.

Firstly, it became clear that the level of competence of "paper" information security specialists is insufficient for responding to incidents. Secondly, gaining experience directly during an incident is too expensive for a company that is responding to a cyber attack at the moment.

An analogy can be drawn with the training of firefighters, who maintain their skills during training to do everything correctly and quickly at the right moment. Another example is the training of a racing car driver, who will practice turns on a virtual track 100 times before getting behind the wheel in Monte Carlo. Similarly, an aircraft crew works through all possible negative scenarios before each flight.

Therefore, in information security, the process of developing competencies should become as integral a part of the work process as filling out a pilot report or tracking the expiration of licenses.

Myth five: employee training is the responsibility of the employees themselves

The desire of HR and company leaders to attract ready-made candidates with all the competencies is understandable and logical. At the same time, the cyber defense team, like Formula 1 pilots, should regularly participate in cyber exercises to hone practical response skills to attacks. Criminals are constantly improving hacking tactics and techniques, so it is important for the information security team to be at least on par, if not ahead.

Therefore, cyber defense teams develop cyber exercise programs that take place on cyber range platforms. Ideally, it is better to regularly conduct command and staff training to work out various incidents. Then, based on SLA metrics, determine which competencies and which employees need to be improved.

The next step is to develop a development plan for each cyber defense employee, or Blue Team, with confirmation of acquired skills. It is important to know the people who are responsible for the success in repelling a cyber attack and minimizing damage. For example, a competency matrix is a visual way to understand what type and level of attacks the company is protected from, and under what scenario there will be no chance.

No specialized seminar will turn your information security specialist into Neo in the Matrix. Only practice, constant honing of skills in protecting various industry infrastructures, and teamwork.

To a certain extent, this process will require a revision of the strategy for training personnel in information security, bringing to the surface the issue of adapting the team to force majeure. In this case, the problem of "Vasya", or the scapegoat, will definitely not be as acute for Russian businesses and government organizations.