Breaches are not down to technology
12:00 Wednesday, 26 May 2021
UK Cyber Security Council
How many times have we reported to management that a security issue was caused by “a firewall problem” or “a ransomware attack”? The reality is that these statements are typically incorrect.
Ransomware attacks generally succeed because someone did something wrong, such as clicking on a link in a phishing email or opening an infected attachments. Firewall “failures” are generally down to configuration errors that were made by people. Compromised passwords cause breaches because a decision was taken not to implement multi-factor authentication (or, worse, because it was never contemplated in the first place).
The failure to detect issues can be because logging levels were insufficient. In the past this could potentially have been ascribed to technology because network devices such as switches and routers generated masses of log detail that couldn’t be stored in their fairly small internal memory or passed to a log collator, but in 2021 such technical limitations are no more.
The human element also extends upstream to the risk decisions that are taken around cyber security. Since it's impossible to mitigate risks entirely – the goal of risk management is to bring risk into line with a management-led risk appetite, and that appetite is always non-zero – decisions must be taken to tolerate at least some level of risk, and those decisions can only be made by people.
The rise of tools that apply Machine Learning (ML) and Artificial Intelligence (AI) techniques is helping to address the limitations of some human properties, but the result will never be to eliminate all risk – instead it will simply continue to reduce it further over time but with a non-zero eventual result. These tools generally rely on statistical analysis – for example, data on historic email behaviour being used to establish the likelihood that someone is attempting to send sensitive data via email to the wrong person – and although modern techniques enable larger and larger data sets to be used to make predictions better and better, they will never be perfect.
We can defend ourselves against the human element of breaches – by more thorough testing of systems, by reducing our risk appetite and implementing more systems to check or supplement other systems, by rigorous reviews of configurations and changes, by installing monitoring and reporting tools to alert us when things go wrong.
But humans are fallible, and technology is configured and used by humans. So the cause of breaches is clear, and it’s not the technology.