Attacks against IT infrastructure use hardware and software to target technology assets. The role of cybersecurity is to protect IT infrastructure and the data stored on it. But a single-minded focus on technology cannot solve the industry’s cybersecurity failings. The real solution to the spate of data leaks and ransomware attacks we’ve seen over the last year is human.
Cybersecurity is, first and foremost, a people problem. As an industry, we know how to build secure platforms – secure infrastructure is readily available and security best practices are well understood. But many businesses fail because security isn’t a fundamental concern. The worst security breaches and data thefts aren’t caused primarily by failings in the technology, but by human error. More and better technology isn’t the solution.
A few security breaches from just this year suffice to make the point. In May, fitness app PumpUp leaked six million records that included sensitive customer data. The records were stolen from a backend server that was exposed to the internet with no password protection.
In March, Under Armour leaked data from 150 million accounts. The company gained plaudits for disclosing and fixing the breach quickly, but it later transpired that many of the leaked passwords were hashed with the easily reversible SHA1 algorithm. Under Armour knew that this was insecure – they had switched to a secure algorithm for newer accounts, but the change was never applied to older accounts.
In April, Panera leaked the private data of millions of its customers. The vulnerability was caused by an easily avoided error. Even worse, it took Panera eight months to fix it, during which time innumerable names, physical addresses, and birthdays were leaked.
Each of these breaches is technological, but the solutions are not. The solutions must be human-centered because the problems are, at root, caused by action or inaction within organizations.
It’s important to stress that human-focused responses to security shouldn’t involve finding and blaming an individual. Employees make decisions and implement processes within an organizational context. In all likelihood, the developers and system administrators who “caused” the security breaches discussed in these examples were aware of the potential consequences. Yet, they were not motivated – or allowed – to do anything about it.
Blaming an individual doesn’t solve the problem because it does nothing to address the organizational shortcomings that allow an unsecured server with sensitive data to be connected to the internet, or that cause a business to leave a known vulnerability in place for eight months. The only real solution to blunders of this type is to give well-trained employees the freedom to speak out about security issues and be taken seriously.
For some organizations, that requires leaders who are prepared to change the incentive structure employees work under. It requires a commitment to making security a fundamental goal of any project. Businesses that choose not to make human-centered changes to their approach to security consciously decide to put their users' data at risk.
