Just last month, Verizon’s Data Breach Investigations Report (DBIR) noted that people are still the most common weak point in any security effort, with 82% of data breaches involving a human element. The common refrain when faced with stats like this is that we have to train employees better. And that’s true.
But security firms are also getting more aggressive about trying to make security more relevant to people inside organizations that aren’t actual IT staff or security analysts. I think this is a trend we should both embrace and encourage.
Greg Murphy, CEO of Ordr, which recently raised $40 million for its cybersecurity software, told me that this year his company added new personas to the software to help people in other organizations use it. Ordr’s software identifies each device on an IT network and monitors it for “strange” behavior, then can quarantine or follow other mitigation rules.
By integrating Ordr’s security product with software such as asset databases, vulnerability services, and network software, customers can practice good security hygiene while also helping meet business goals — a big sell when asking strapped customers such as hospitals or public governments to shell out for security software.
For example, in hospital settings, a facilities manager can now see a dashboard that shows various security cameras or safety equipment flagging any recent vulnerabilities that might require an employee to physically update or remove a device. A clinic manger might get a dashboard that ties into an asset database to help track which devices are actually on the network and being used. This is a good security practice, but it also could result in savings if, for example, a company is paying for a device that isn’t being used, or determines when devices go missing.
Sure, the cynic in me says this just makes sense, because the more people in an organization that get value from your software the more likely it is that the organization will continue to pay for the software. But it also turns employees into an extension of that organization’s security team. Murphy said he’s found that IT must branch out and bring other employees in to fill any security gaps. “It’s critical to get that type of buy-in, and to do that there has to be a benefit, such as making it a heck of a lot easier to get an automated inventory,” he told me.
Ordr isn’t alone in trying to make security more relevant to other employees in an organization. Infosec Institute, a cybersecurity training company, has announced new training regimes aimed at non-security personnel inside organizations. The company has created a survey for organizations that tests all of their employees on basic cybersecurity principles, which seems on par with current tactics such as trying to send out random fake phishing emails to “educate” employees about how to avoid downloading malware.
But it has also created a “Choose Your Own Adventure” -style game that walks employees through different security scenarios. This isn’t exactly the same as providing business value through a security platform, as Ordr is doing, but it is an indication that old-style employee trainings aren’t working and that companies are trying hard to find alternatives to secure those weak links.
We’ll have to wait and see if next year’s DBIR shows a reduction in employees helping bad actors infiltrate corporate networks. We have to do something.