People are the greatest security vulnerability

The world of cyber-security is strewn with examples of major security vulnerabilities, many of which have led to costly and embarrassing security breaches.

But where is the greatest security vulnerability, what has caused the vast majority of security breaches and where do we really need to focus our attention?

There is one very simple answer: people!

The greatest security vulnerability is in the seat-keyboard interface, the wet-ware, the carbon based life forms, it’s not the silicon based technology.

People do the work

People design, build, code, test, implement and support technical solutions.

People also operate businesses, handle data and define the policies and procedures that should be followed when handling data.

The problem is that people make mistakes, they are pone to lapses in judgement, accidents and simple errors. They are also very much in the habit of making assumptions about things, many of which are based on false or inaccurate beliefs and “facts”.

How do we plug this vulnerability?

At this point many will fall back on the reliance on technology to govern behaviour and reduce risk. And this is a valid argument up to a point. After all technology can be a great tool in enhancing security and enforcing governance and compliance.

But it is only a tool. It is only as good as the people who designed, implemented, tested and now use and support it. So we’re back to square one.

Security education is key

In my opinion there is a vital step that is often overlooked in favour of shiny technical solutions.

That is education. Teach people how to design, build and test secure solutions. Teach people how to support and operate your infrastructure securely. Teach people how to follow processes and procedures.

But not only that, teach people why security is important, show them what can happen when it fails, help them respond to issues and enable them to suggest improvements or report problems.

And while you’re educating them remember to test them! Test their knowledge, test how they react under pressure and test their willingness to maintain security.

Finally, make this while process something that is continuous within your organisation. Do it from the top-down and build it in to the very fabric of the business – create a “culture of security”!