Employees Are the Weakest Link in Computer Security
If your company is like most, you’re spending an awful lot of your information technology budget on security: security products to protect your organization, security consultants to help you understand where your weaknesses lie, and lawyers to sort out the inevitable mess when something goes wrong. That approach can work, but it fails to consider the weakest link in your security fence: your employees.
We’ve come a long way since the days of the Blaster and Zapper worms in the early 2000s, malware that infected computer systems and caused pure chaos in corporate networks for people not yet hardened enough to question the links and attachments that arrived in their inboxes. Yet as we’ve put together the agenda for Structure Security, a conference focused on information security to be held on Sept. 27 and 28 in San Francisco, it’s a topic that has come up again and again: How the best-laid plans designed by security experts can still be derailed by users with sloppy passwords or a tendency to leave smartphones or laptops in cabs.
If you’re a large company, you can invest in protecting your users from themselves. You can require smartphone users who want to access your network to let your operations people remotely erase sensitive data in the event of a theft or loss. Or you can insist users change their passwords every 30 days and require a 16-character password with letters, numbers, symbols, and doodles. For a lot of small to medium-size companies, however, cultural resistance to security overreach and a lack of resources to enforce even high-minded policies can result in significant loss of proprietary information, money, or both.
It doesn’t have to be this way. This September at Structure Security, we plan to showcase a number of individuals and companies who are working on ways to help everyone—from overworked chief information security officers to lower-level employees with basic information security literacy—stop problems before they happen.
Some of these approaches include:
— Breaking through the information-sharing resistance among corporate information security professionals, which could help prevent newly discovered threats from spreading faster than they can react.
— Using artificial intelligence and machine learning to better predict user behavior and hacking tactics, featuring startups such as Area1 Security, which is working on ways to detect and prevent attackers from targeting specific employees with sophisticated scams.
— Finding problems in your products and internal apps as quickly as possible by crowdsourcing “bug bounties,” a fast-growing information security practice that we’ll discuss with Casey Ellis, founder and CEO of Bugcrowd and Maarten Mickos, CEO of HackerOne.
— Designing your products or internal applications in a way that assumes your users are themselves overworked, frustrated by the growing complexity of password requirements and two-factor authentication and security images. This requires product-development teams and security engineers to work much more closely together than is the norm in this industry, according to our board of advisors.
Information security in 2016 is a tricky balance. The threat has never been more pronounced, as anything not yet connected to the Internet is probably in development by a hot startup, and as third-party cloud providers control an increasing amount of critical infrastructure. But the people in the trenches who are responsible for security discipline need more help from the people whose software they are required to use simply to do their actual jobs.
Organizations that don’t prioritize helping their users secure themselves can spend all the money they want on the security products that the $75 billion information security industry is quite happy to sell them; yet after all that effort, they still might be leaving their house keys in the front-door lock.
Fortune readers can get a discount on tickets to Structure using this link.