The culture of cybersecurity has been training its weapons in the wrong direction, according to Dr. Arun Vishwanath, the chief technologist at Avant Research Group and a former professor at the University at Buffalo. While ransomware, spearphishers, and general hackers all need to be combatted, MSPs also need to take a closer look at whom they are managing. SmarterMSP caught up with Dr Vishwanath for a conversation about his thoughts concerning the state of cybersecurity today.
The first line of defense for most MSPs is their suite of security products and training, like penetration testing. However, most cybersecurity products are aimed at throwing as much technology as possible at bad actors. Yet, Vishwanath has made waves and grabbed headlines by positing that humans are both part of the problem AND part of the solution when it comes to clamping down on hacking.
“We have the day to day vendor model where the products are dealing with technology and trying to cut out the humans. Vendors see users as an irritant instead as part of the solution. Money is going to try to play the “Big Brother” role and try to make the user as minimal as possible. That is the unfortunate reality,” states Vishwanath. Security solutions are better than nothing, but they can’t address all risk factors, such as human vulnerability .
Complement security tools with user analysis
To help combat the issue of user vulnerability, Vishwanath developed the Suspicion, Cognition, and Automaticity Model (SCAM) model. The model explores what motivates a user’s email habits and their methods of processing information. Many users, Vishwanath says, make snap judgments concerning an email’s content.
The SCAM model explains what contributes to the origin of suspicion by accounting for a user’s email habits and two ways of processing information: heuristics, or thumb rules that lead to snap judgments about a message’s content; and a more in-depth, systematic processing about an email’s content.
“Once we understand why certain people fall for attacks, we can target them with the appropriate training and education,” Vishwanath explains, adding that, “People use mental shortcuts based on triggers in their environment.”
Ignoring the end user
Vishwanath says the most significant vulnerability in the whole ecosystem is the user, but it can also be its most powerful protector. Most products ignore the latter. Vishwanath describes the paradox in an article he wrote for CNN:
“Ignoring the end-user is akin to putting better locks on a safe, while forgetting all the many people who have its keys. In other words, it is a huge problem.”
One size doesn’t fit all
Companies can put their employees through all sorts of pen testing drills, but none get to the root of why someone falls for a phishing email in the first place.
“Penetration (pen)testing doesn’t tell you why a person failed, and we are trying to come up with one-size fits all answer. That approach will run out of steam,” predicts Vishwanath.
Instead, he advocates a qualitative scoring method which gives a person a “cyber hygiene” score.
“We don’t give everyone a credit card,” Vishwanath says, comparing a scoring method to that of a credit score. Vishwanath has worked with federal agencies and companies in implementing his scoring model and seen tangible improvement.
Security is still primarily designed around the old concept of people working statically in officers on old, clunky 1970s desktop mainframes. The reality is, many professionals are working from home, Starbucks, or the train station on networks where security may be questionable. People are also bringing devices of all sorts into the offices.
“The security cycle is too slow to keep up,” explains Vishwanath.
It only takes one
“When you look at the hard data, you are still getting 20 percent hit rate, which is too high because it only takes one for the hackers to be successful,” notes Vishwanath. He observed that employees often suffer from pen testing fatigue or they learn to recognize which emails are pen tests.
Lastly, Vishwanath advocates that better access protocols are needed.
“Today, we are giving access based on function, not tech risk, and that is a pretty flawed process.” He supports a system where administrative access is based on a qualitative assessment which scores someone’s cyber hygiene between zero and one hundred. To determine the scoring for the system, Vishwanath has put together a 40-question survey to better define someone’s cyber risk.
Knowing whom you manage
MSPs are in the people business as much as they are in the technology business. That is where a holistic view could be one of your most potent cybersecurity tools.
“In my conversations with MSPs, you are looking at management without understanding whom you are managing. If you know who you are managing you will manage better,” explains Vishwanath. Therefore, an MSP needs to both determine what security weapons to deploy and which enterprise employees need the most monitoring.
“The model right now is ‘let’s watch everyone’ and that doesn’t work. If you want to come up with a smarter system, you need intelligence about the user,” details Vishwanath.
Humans are the biggest threat area, because they are the largest, most exposed surface. Until such cyber hygiene scores become the norm, MSPs need to keep drilling down on educating employees about the dangers of phishing.
“These things move slowly. Hopefully in five years we’ll be doing things better,’ Vishwanath says.
Photo: fizkes / Shutterstock
