Cybersecurity ‘Tipping Point’

Moving from defense to offense in the cybersecurity battle

Tipping points are generally referred to as, “the critical point in a situation, process, or system beyond which a significant and often unstoppable effect or change takes place”¹. Reaching the tipping point for cybersecurity is critical to moving from defense to offense in order to protect data and privacy.

As a clarification, this article separates tipping points between technology and human behavior.  Technology appears to be reaching a tipping point, while human cyber security engagement is lagging and does not appear to be nearing a tipping point. A coordinated effort between legal, compliance, HR and IT will be needed to implement ‘zero trust’.

A significant challenge will be to bring third-party service companies under the zero trust umbrella. The following three actions support the position that cyber security is nearing a tipping point.
 

In response to the cyber security presidential order of May 12, 2021, zero trust was included as part of the FY17 National Defense Authorization Act (NDAA).  Washington hearings was held in early 2021 where cyber security witnesses and experts identified 7 pillars applicable to zero trust.
 

The Defense Information Security Agency (DISA) is a driving enabler of Comply-to-Connect (C2C) providing the tools and training for implementing C2C throughout the DoD³. Within DISA, C2C aims to “establish a framework of tools and technologies operating throughout the network infrastructure…with C2C being deployed in 5 increments: 1) discover and identify; 2) interrogate; 3) auto-remediate; 4) authorize connection; 5) situational awareness and enforcement”.⁴

The zero trust tipping point sets the stage, and in fact the requirement, for the human layer of cybersecurity to move more quickly to its tipping point.  Cybersecurity training has raised user’s awareness, but too often users are not staying engaged. It is worth noting that zero trust will be adopted sooner and more effectively by larger organizations because they have more resources and technology. This will put additional pressure on SMB to have a robust user cybersecurity awareness program.

Many SMBs have a history of ‘break and fix’, but with the evolving cyber threat environment, MSBs will need to implement stronger cybersecurity policies and strategies. MSB that seek cybersecurity insurance with ransomware coverage could encounter pushback from insurance companies if strong cybersecurity policies are not adopted and enforced. Earlier this year 7 of the largest cyber insurers formed CyberAcuView to help them gain a better understanding of cyber risk exposures⁵.

The founding companies are AIG, AXIS, Beazley, Chubb, The Hartford, Liberty Mutual Insurance, and Travelers. This is a members’ organization that encourages new carriers to join. Initial staffing includes industry heavyweights Mark Camillo, CEO, Jacob Ingerslev, Head of Global Cyber Risk and Monica Lindeen, Director of Regulatory Affairs.

As referenced earlier, DoD’s zero trust endorsement, CyberAcuView formation and private/government training resources for employee cybersecurity training have brought technology to a tipping point. Ericom recently reported results from its survey of 1,300 security and risk professionals and found 80% plan to implement zero trust security within the next 12 months⁶.

The first pillar among the 7 pillars lists “Securing Users” with C2C listing “Situational Awareness and Enforcement” as key requirements for zero trust.  Reviewing these two end point user requirements will help us understand the importance of employee cybersecurity engagement in supporting zero trust. Accelerating the human layer of cybersecurity’s layers of security will be needed to move from defense to offense in the cybersecurity battle.

There is a large gap between technology 0 and 1 coding and behavioral science.  Of course, current training and awareness programs need to be supported and improved upon. There is no time to waste so let’s get going with both big and small solutions. They all add up.

 This quote from Superman actor Christopher Reeve’s seems appropriate, “You play the hand you’re dealt. I think the game’s worthwhile”.
 
While the technology side of the cybersecurity equation is nearing its tipping point, the ‘hand we’ve been dealt’ for users’ cybersecurity engagement is not at sustainable levels considering the risk horizon. Numerous surveys report a common user theme when ask about their attitudes toward cybersecurity ..”It is a hindrance…they are more worried about meeting deadlines than exposing organizations to a data breach”⁷ as reported by HP Wolf Security in September 2021.

Awareness training, media publicity and firsthand accounts of breached personal information have significantly increased cybersecurity awareness, but awareness without follow-through will not prevent data breaches. Research also indicates larger organizations, at the board level, have a much better grasp on the significance of cybersecurity risk exposures. Both the user awareness and board-level understanding of cybersecurity risks are positive developments.

They provide an excellent foundation for continuing all across-the-board programs to increase user cybersecurity engagement. Small and medium-sized businesses (SMB) are laggards due to resources and other operational priorities. This gap between larger organizations and SMBs for cyber security increases SMB’s exposure to ransomware and disruptions to ongoing operations.  

Achieving user cyber security sustained engagement is critical because cybersecurity criminals are constantly probing for new ways to gain access to private data. The path to reaching the tipping point for employee cybersecurity engagement will probably be achieved in small incremental steps and move slower than we want. One significant obstacle was identified by Ian Pratt, Global Head of Security for Personal Systems, HP, Inc. with these observations, “If security is too cumbersome and weighs people down, then they will find a way around it.

Instead, security should fit as much as possible into existing working patterns and flows, with technology that is unobtrusive, secure-by-design and user-intuitive…” A demographic insight from the HP Wolf Security report was, “54% of 18-24 years-old-end point users were more worried about meeting deadlines than exposing their organization to a data breach”⁸.

These results coincide with other reporting that security policies are ignored or worked around because users believe security procedures slow them down. The slowing down productivity perception must be addressed as reality because as Lee Atwater, the 1980s political consultant famously said, “perception is reality”.  

Numerous behavioral reports support the position that empowered employees are significantly more open to being engaged employees. This is why empowering users in the cybersecurity battle is vital. Empowering users within existing working patterns, as referenced above in the HP report, will also strengthen users engagement.

When user and IT barriers are knocked down, users generally become more open to changing work requirements and not perceiving them as hindrances. Now for the cybersecurity communications nudges, the nudge messages must be clear and repeated after training all year long.

In conclusion, zero trust and strong international government actions have moved technology to a tipping point for future offensive cybersecurity actions. Large organizations will lead the way with SMBs following more slowly. Knocking down user/IT barriers will open the door to empowering endpoint users in the cybersecurity battle. Routine cybersecurity nudge messages within the routine workflow will move users to be more fully engaged in cybersecurity.  

Notes