Valeri (Val) Loukine is a Cyber Security Evangelist, a member of the office of the CTO with Check Point Software Technologies, a blogger, a world traveler, and a biker.
With more than 20 twenty years in Information Security, Val helps hundreds of customers around the globe to overcome security challenges, counter threats, and build efficient cyber security architecture. Since 2018, Val has been leading the Check Point CheckMates community activities in EMEA and APAC.
How much risk do humans really introduce into cyber ecosystems?
VAL: By far, humans are the weakest link in cyber security. There are multiple reasons for that: cultural, educational, and even psychological. In modern society, we are using modern technologies without thinking of the implications. For example, with motorized vehicles, one needs to be trained and to pass a test in order to drive a car or to ride a motorcycle.
With computers, networking and Internet, we do not have to do any of that. We are allowed to play with them and to use as we see fit, mostly without any substantial training.
The more intuitive and simple are our gadgets, laptops, phones, smart homes, and voice assistants, the less we are contemplating the implications of using them, and even less are we thinking about ways those tools can be turned against us.
As a result, cybercrime is a multi-billion dollar industry, with lots of serious players and established exploitation techniques.
We are facing tremendous numbers of threats, with the most sophisticated multi stage attacks on all aspects of our life: personal data, finance, health, industry, education and social structures. Yet, most of us behave with complete ignorance towards the matter, refusing to acknowledge the magnitude of the issues.
Each cyberattack, however complex, always starts with the search for the weakest link, and humans are unfortunately the weakest one of all. It is common for criminals to start exploitations with preying on human nature, by gaining trust, creating a sense of urgency, or imposing as an authority, thus pushing a victim to perform an action that would allow intruders to get behind security barriers, bypass the first line of defense, get sensitive data, user credentials, etc. Once the first step is done, various technologies can be used, depending on the nature of the attacker, intentions and goals.
How can we develop a more security-focused culture?
VAL: Education is the key, on all levels. We teach our children not to talk to strangers, not to accept gifts and not to get in a car with people they do not know. We need to teach both kids and adults to be vigilant and cautious around cyber tools we use.
Look at the coronavirus measures around us. Governments, authorities and health organization are spreading documents, videos, leaflets and notes about maintaining hygiene. We are told to cover our faces with masks, maintain social distancing and wash our hands often and thoroughly. Although these measures do not provide 100% protection, they significantly reduce the risk of exposure and spread of infection.
The same should be done for cyber security. Education, trainings, the promotion of healthy cyber hygiene – those measures are essential to combat the public ignorance of the matter, and to raise the level of awareness.
And since governments, educational institutions and public authorities are not doing nearly enough (if anything) in this regard, the burden of spreading the word, helping individuals, societies and organizations to gain the required knowledge is on us, security professionals.
These applies to all level of expertise and responsibilities, from a security admin associate to a CISO.
What business benefits will executives see by organizing cyber security awareness trainings?
VAL: It is important to notice, security awareness is a proactive, not reactive measure. It cannot replace technological security tools, it should be part of the whole cyber security package, limiting potential breach points and addressing the human factor in the overall cyber security posture.
That said, security awareness measures actually fit quite well in the risk management paradigm I mentioned earlier. They reduce exposure and risk factors, hence limiting potential damage, financial, reputational and otherwise, as a result of cyber security incident. According to recent research, an average security accident costs about 4 million dollars, and in the USA the number can be above $8 million. That should be taken into account when planning security spending.
Did you find this interview informative? Stay tuned for part two, which will be published on Cyber Talk next week.