Have you heard about the French Paradox? No?
Across the pond, our French neighbours enjoy a diet full of rich and cheesy saturated fats, whilst simultaneously experiencing relatively lower levels of coronary heart disease.
This goes against conventional medical convention that suggests higher levels of saturated fats in a diet should result in higher rates of heart disease. It’s interesting, perplexing and a bit a frustrating – especially if you’re not French!
What has this got to do with Information Security?
Absolutely nothing apart from being a paradox in play – real or perceived.
It’s well known that where information breaches are concerned, the human element plays a part in somewhere between 70-80% of them – through either mistake or ignorance. What we find frustrating here at Risk Crew (apart from the rich cheese thing) is that whilst organisations seem happy to spend large amounts of money on software security solutions they seem less inclined to invest in what is arguably the most vulnerable and attacked element of their cyber and information defences – us humans.
This is where the paradox comes in
The harder you make it via software for malicious actors to breach your system the more pressure you then put on your users, whilst paradoxically your users are feeling more secure, because IT has just told them about the new, state-of-the-art, expensive security software solution they have installed.
A simple example being software that recognises, and intercepts spoofed email addresses. It’s now harder for attackers to spoof an email from your Finance Director, requesting an urgent payment to one of your suppliers. One of two things will likely to happen at this point:
- The attacker will move on to another easier target — great (for you) but certainly not guaranteed.
- The attacker will look at another way of getting that email through — instead of spoofing an email, why not send it from the genuine account? This way it’s almost certain to get through any software-based security validation. How do they do it? Easy! They trick the human into giving away their credentials. Or, as it’s been happening lately, hackers access repositories of previously compromised accounts on the dark web and prey on the victims who use the same password across multiple accounts.
You could argue that once the logic is applied, then there isn’t actually a paradox in place, it just seems there is until you look a bit deeper. And that would be a valid argument to espouse, but cut us some slack here — The Information Security Paradox – makes a great title!
The Solution: Secure your systems and your users
The obvious solution here is a two-pronged one. Secure your systems with best of breed security solutions and secure your users with best of breed information security awareness training and education. One without the other is an absolute false economy.
Talking about false economies, user awareness training needs to be comprehensive, not just a tick box exercise. Just like you wouldn’t install the latest anti-virus without keeping your patches up-to-date so you shouldn’t deliver InfoSec Awareness eLearning to your staff without first making sure they understand the need for it in the first place.
At Risk Crew, we have over 18 years of designing and delivering total information security awareness programme — eRiskology™ comprised of four dynamic pathways – Inspire, Empower, Engage and Measure.
Learn more here