Have you heard about the French Paradox? No? Well it goes something like this: Across the pond our French neighbours enjoy a diet full of rich and cheesy saturated fats, whilst simultaneously experiencing relatively lower levels of coronary heart disease. This goes against conventional medical convention which suggests higher levels of saturated fats in a diet should result in higher incidences of heart disease. It’s interesting, perplexing and a bit a frustrating – especially if you’re not French!
What has this got to do with Information Security?
You’re probably thinking, what has this got to do with Information Security? Well, absolutely nothing apart from there being a paradox in play – real or perceived.
It’s well known that where information breaches are concerned, the human element plays a part in somewhere between 70 – 80% of them. Usually through mistake or ignorance. What we find frustrating here at Risk Crew (apart from the rich cheese thing) is that whilst organisations seem happy to spend large amounts of money on software based security solutions they seem less inclined to invest in what is arguably the most vulnerable and often attacked element of their cyber and information defences – us humans.
And this is where the paradox comes in
The harder you make it via software for malicious actors to breach your system the more pressure you then put on your users, whilst paradoxically your users are feeling more secure, because IT has just told them about the new, state-of-the-art, whizz bang, super expensive security software solution they have installed. A simple example being software that recognises, and intercepts spoofed email addresses. So, you’ve made it harder for attackers to spoof an email from your Finance Director, requesting an urgent payment to one of your suppliers. One of two things are likely to happen at this point:
- The attacker will move on to another easier target – great (for you) but certainly not guaranteed
- The attacker will look at another way of getting that email through – instead of spoofing an email, why not send it from the genuine account? That way it’s almost a certainty to get through any software-based security validation. How do they do it though? Easy! They just trick the human into giving away their credentials. Or, as has been happening lately, hackers access repositories of previously compromised accounts on the dark web and prey on the victims who use the same password across multiple accounts
At this point you could argue that once logic is applied, then there isn’t actually a paradox in place, it just seems there is until you look a bit deeper. And that would be a valid argument to espouse, but cut us some slack here – The Information Security Paradox – makes a great title!
So, the rather obvious solution here is a two pronged one. Secure your systems with best of breed security solutions and secure your users with best of breed information security awareness training and education. One without the other is an absolute false economy.
Talking about false economies, user awareness training needs to be comprehensive, not just a tick box exercise. Just like you wouldn’t install the latest anti-virus without keeping your patches up-to-date so you shouldn’t deliver InfoSec Awareness eLearning to your staff without first making sure they understand the need for it in the first place.
Here at Risk Crew we have over 15 years of designing and delivering total information security awareness programmes in to clients. We call our programme eRiskology™, and it’s comprised of four pathways. Firstly, you Inspire them with 90-minute on-site workshops, then you Empower them with eLearning, then you Engage them with a constant flow of related multi-media messaging, all the while measuring their behavioural change with quizzes, surveys and social engineering based simulated tests.