Why people are the key to cybersecurity
Cybersecurity is one of the great issues of our time. As organisations have become increasingly dependent on computer and data communication technology, the opportunity for thieves has grown. Couple that with the lack of national boundaries in cyberspace and the relatively low probability of being caught and the risk/reward ratio makes cybercrime much more attractive than taking a sawn-off shotgun into a bank. The “attack surface” grows all the time. By 2020, it is estimated there will be 4 billion people online and the Internet of Things will be up and running, interconnecting 26 billion internet enabled devices and thereby allowing a thief who can find an entry point to jump from device to device. There is also no sign of this growth of complexity ever stopping, so the opportunities for cyber-thieves will only increase.
Organisations are getting better at protecting themselves. Software updates are usually implemented quickly or automatically now, so vulnerabilities are blocked before the attacker can exploit them. Vulnerabilities usually occur because different modules within a large software system are written by multiple coders, with differing habits. No matter how well specified and tested the modules are, there will always be slight variations in the way things work because each person does things slightly differently. It is these small differences the thief is looking for.
Firewalls are better than they were. Most people have enough awareness to know they are exposed if they are not behind a firewall and most people have enough sense to run anti-virus software and keep it updated. Simple attacks are therefore mostly blocked by technology. A reasonable guess is that 99 per cent of attacks are blocked before they do any harm. But that would still leave one per cent of a large number that do get through. It is clear that technology alone cannot defeat cyber-thieves.
The cyber weakness
Thieves always turn to the greatest source of weakness – people. People are inconsistent. Some care about protecting themselves online, while others do not realise the dangers which exist. Some are cautious about opening email attachments, some are not and often live to regret it. A thief can exploit these inconsistencies and weaknesses. Business policies do not help, as when performance is measured on things like sales numbers, hitting deadlines and cost savings, there are rarely employee incentives for strong cybersecurity.
Outside the office, people are careless online in ways they would never be elsewhere. Social networks create digital footprints which are often impossible to remove or improve once they exist. It is not difficult for a researcher to move from reading Facebook personal information to researching the same person on Linkedin to find their professional profile, then to find their colleagues and find a way in, perhaps by emulating a colleague. Indeed, some people do this for a living, researching likely targets, finding all their personal details, before selling that profile, together with all the supporting information, on the dark web to criminals who will use it to steal from the person or their employer.
So how should an organisation approach the soft, people issues involved in cybersecurity? Perhaps the first recognition businesses should make is that people do not listen, do not pay attention and often simply do not do what they are told even when they do listen and understand. The ability to influence and persuade is more important than the ability to write procedures. Unfortunately, the soft human resources and psychology skills needed to approach the issue in this way are often not the skills possessed by the people responsible for cybersecurity.
Cybersecurity is generally seen as a part of the IT department. As such, it attracts IT professionals who understand and analyse issues before writing procedures to address them, but lack the necessary skills to train and persuade the professionals on the front line. Mandating does not work, but it is the way most organisations deal with the issue.
Time to take a stand
As far as cybersecurity is concerned, it often gets lost in the shuffle. Most organisations have poor management and auditing practices, weak or non-existent personal risk assessments and pre-employment screening. Simultaneously, communication between the arm of the business responsible for cybersecurity and the workforce is almost non-existent. Many managers regard cybersecurity as a nuisance they have to deal with, taking time away from what really matters in achieving their objectives.
It can be hard to generate a truly beneficial interaction between the people responsible for IT security and the rest of the organisation. People often do not like being told what to do, even when they listen. Relationships take a long time to develop and need a lot of nurturing but employees will respond and contribute if they are treated like adults and persuaded to build a culture of online security awareness. The key is developing everyday practices that help people feel secure online and, over time, developing a culture in which people implement those practices without resentment and without thinking about them.
Sean Paxton is Product Manager of Networks at Redcentric
Check out the latest issue of Business Review Europe magazine
GfK and VMware: Innovating together on hybrid cloud
GfK has been the global leader in data and analytics for more than 85 years, supplying its clients with optimised decision inputs.
In its capacity as a strategic and technical partner, VMware has been walking GfK along its digital transformation path for over a decade.
“We are a demanding and singularly dynamic customer, which is why a close partnership with VMware is integral to the success of everyone involved,” said Joerg Hesselink, Global Head of Infrastructure, GfK IT Services.
Four years ago, the Nuremberg-based researcher expanded its on-premises infrastructure by introducing VMware vRealize Automation. In doing so, it laid a solid foundation, resulting in a self-service hybrid-cloud environment.
By expanding on the basis of VMware Cloud on AWS and VMware Cloud Foundation with vRealize Cloud Management, GfK has given itself a secure infrastructure and reliable operations by efficiently operating processes, policies, people and tools in both private and public cloud environments.
One important step for GfK involved migrating from multiple cloud providers to just a single one. The team chose VMware.
“VMware is the market leader for on-premises virtualisation and hybrid-cloud solutions, so it was only logical to tackle the next project for the future together,” says Hesselink.
Migration to the VMware-based environment was integrated into existing hardware simply and smoothly in April 2020. Going forward, GfK’s new hybrid cloud model will establish a harmonised core system complete with VMware Cloud on AWS, VMware Cloud Foundation with vRealize Cloud Management and a volume rising from an initial 500 VMs to a total of 4,000 VMs.
“We are modernising, protecting and scaling our applications with the world’s leading hybrid cloud solution: VMware Cloud on AWS, following VMware on Google Cloud Platform,” adds Hesselink.
The hybrid cloud-based infrastructure also empowers GfK to respond to new and future projects with astonishing agility: Resources can now be shifted quickly and easily from the private to the public cloud – without modifying the nature of interaction with the environment.
The gfknewron project is a good example – the company’s latest AI-powered product is based exclusively on public cloud technology. The consistency guaranteed by VMware Cloud on AWS eases the burden on both regular staff and the IT team. Better still, since the teams are already familiar with the VMware environment, the learning curve for upskilling is short.
One very important factor for the GfK was that VMware Cloud on AWS constituted an investment in future-proof technology that will stay relevant.
“The new cloud-based infrastructure comprising VMware Cloud on AWS and VMware Cloud Foundation forges a successful link between on-premises and cloud-based solutions,” says Hesselink. “That in turn enables GfK to efficiently develop its own modern applications and solutions.
“In market research, everything is data-driven. So, we need the best technological basis to efficiently process large volumes of data and consistently distill them into logical insights that genuinely benefit the client.
“We transform data and information into actionable knowledge that serves as a sustainable driver of business growth. VMware Cloud on AWS is an investment in a platform that helps us be well prepared for whatever the future may hold.”