Yegor Aushev: How to act and overcome the cybersecurity treats in 2022
Being co-author of several international working papers on legislative cybersecurity reforms in Ukraine and has presented at over 70 international and Ukrainian cybersecurity conferences, within Intersec’s speech “Critical Infrastructure Trends in 2022: Assessing the Human Factor” Yegor Aushev:
1) described the human factor problem in 2022 based on our experience
2) discussed solutions, in particular how we are working to solve the problem in Ukraine and in various countries
3) talked about actions to take and things you should consider in your organizations
Let’s discover key points.
What is the problem?
- Investment in technology has been growing exponentially and while it helps making organizations safe, it solves only a small part of the problem. Technology causes only 25-30% of breaches.
- The biggest issue IS and will continue TO BE the human factor. Because people, processes, and organizational failures cause 70%+ of breaches in our experience.
- Phishing attacks account for 90% of breaches and attacking the human factor is simply the most effective and cheapest way for attackers.
- The cost of breaches and cost of technology will increase, so investing more the human factor is the answer.
The problem of the human factor has been going-on for a long time and is not close to be fixed. An example is the 2015 Ukrainian grid blackout, affecting 230 000+ people. The attack started following a comprehensive phishing attack on employees of affected organizations. Unfortunately, this type of attack and problem has been successful in new forms over and over again.
Technology can help stop it only to a partial degree. There is a big investment gap in the human factor in terms of skill, knowledge, awareness, and preparedness.
Human factor attacks rely on the skill of the attackers and the unpreparedness and under-investment by target organizations/individuals.
- New Variants of phishing attacks, data loss, etc. will accelerate in 2022
- Technology, AI, Automation will help, but new attack variants are created rapidly, and attackers use their superior skill to create damage.
The direction for 2022
We have created a proven and simple continuous learning process, which, when applied consistently, brings excellent results.
- First, organizations need to create formal coaching and mentoring. Today, there are rarely responsible people in organizations as HR is not suitable, and CIO’s often focus on other issues and priorities.
- Second, both attack and defense must be taught and practiced. When armies buy weapons, they practice with them. In cyber security, it is important to understand the techniques and think of your enemies.
- Third, it is important to measure the results immediately and often. Still, it is also recommended to create competitions and build a competitive spirit by facing outside teams and measuring oneself against external competitors.
In 2021, we worked with 7 governments, 35+ national agencies, ministries, and state enterprises created programs for 800+ senior executives and IT experts and also engaged more than 1500 members of security communities.
These numbers will grow in 2022, but the results, effectiveness, and satisfaction with this process and programs are undeniable. We recommend everyone to, at the very least, invest in the human factor the same as investment in technology because results are immediate and measurable.
Act and overcome challenges in 2022
- Your maturity does not guarantee defense anything.
- Selected Employees need to learn & practice ethical hacking: It is crucial to learn how to think like an attacker
- It is critical to avoid silos: all employee base should be engaged
- Formal coaching and mentorship is crucial: organizations need formal roles & support systems to drive human capabilities growth & basic security awareness in all employees.