The National Cyber Security Alliance and NASDAQ recently held a Cybersecurity Summit entitled Solving People Problems in Cybersecurity. At first glance, one may think that the title is strange, that cybersecurity is a technology issue and not a people issue.
Delving deeper though, it becomes clear that cybersecurity is about people. Cybersecurity is about keeping data and technology safe from the “bad guys,” who are people. People are building the infrastructure of the Internet and our world as a whole. People are the ones using the digital channels and technologies that other people create.
The Education Problem
A huge problem in the world of cybersecurity is the amount of knowledge people have about the topic. The Pew Research Center conducted a survey last year to see how much Americans know about cybersecurity. The average respondent only answered 5 out of 13 basic questions correctly.
Clearly there is a great amount of room to grow in cybersecurity education, but will it ever really be enough? Technology is evolving daily and fraudsters are keeping up with the evolution, but it is impossible to educate people to the extent necessary given the continuous changes in the landscape and the endless security requirements that we are faced with.
That being said, even if people were properly educated, chances are many would still be vulnerable to social engineering attacks. Social engineering is essentially the manipulation of people to divulge sensitive information. The most common type of social engineering is via the phone. In fact, according to Cifas UK, telephone takeovers represent 50% of all bank account takeovers. Once a fraudster has access to the victim’s bank information through the phone, they usually can obtain SMS and other second factor authentication codes required to bypass online banking security protocols – a practice known as cross-channel fraud.
Behavioral biometrics addresses this type of threat, analyzing the human element and looking at WHO is behind a session and not where they logged in from or what device they have. The technology provides protection after the login, continuously monitoring for human or non-human (robotic, aggregator, malware, Remote Access Trojan) account takeover attacks. There is significant evidence showing that fraud today comes from authenticated sessions and that social engineering is by far one of the biggest cybersecurity risks we face today.
Consider this: More than 60% of enterprises surveyed were victims of social engineering attacks in 2016 and 17% of the attacks breached financial accounts.
Next, consider this: In his presentation, Alex Blau of ideas42, asked how many in the audience believed that running software updates immediately as they become available was one of the most important steps to keeping safe online; almost everyone in the room raised their hand. When asked who actually followed this practice; almost no one in the room said yes.
Both of these trends reinforce what many in the field already know, that static forms of security simply do not suffice. A new paradigm that is dynamic, people-oriented and scalable is the only way to deal with the cyberthreats that we are facing today.