“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
The recently reported hack at Capitol One puts proof to that assertion.
Last month, Capital One revealed that a hacker accessed the information of 106 million credit card applicants and customers. Employees raised their concerns about problems, including staffing issues to senior executives, HR and internal auditors.
This breach was surprising because many believed that the bank was ahead of the curve when it came to technology.
Research from IBM finds that some 60% of cyber attacks are carried out by insiders, 75% of whom are acting with malicious intent rather than a reckless lack of security-mindedness. However, what’s poorly understood is that employees become malicious insiders gradually, over months or even years. Few join an organization with intent to do it harm from day-one. Given that, cybersecurity must start with the “soft stuff” that most in risk management relegate to HR. Human dynamics drove the breach at Capitol One, not “cyber” issues.
As insurance broker Aon has argued, “For businesses to effectively anticipate and manage the external and internal cyber risks in today’s connected world, they will need the co-operation of their most important assets: their people.”
This isn’t to say that firms should view their employees as “threats,” per se. Rather, threats may emerge among their employees. Fot this reason, attention should go to what conditions lead to that unhappy outcome. Often, employees are a firm’s best source of insight into such conditions.