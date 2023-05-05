When it comes to protecting against cyber threats, the importance of the human element can’t be overstated. Human security is growing in importance to cybersecurity professionals who are noticing attackers increasingly focusing on social engineering as a means to access internal systems.

On April 5, RSA 2023 Advisory Board members Wade Baker, Virginia Tech professor and co-founder of Cyentia Institute, and Caroline Wong, chief strategy officer at Cobalt, delivered remarks during a roundtable discussion on human security.

Here are some of Baker and Wong’s comments on human security. You can watch the full replay of the conversation here.

These remarks have been edited and condensed for readability.

Caroline Wong:

In 1969, some really brilliant folks at UCLA and Stanford and a couple of other universities were like, “Hey, what if we shared computing power? And what if we could actually share this information with each other?” Fast-forward to 1985, the National Science Foundation says, “We’re gonna make this thing called NSF Net and it’s going to be this network of scientific computers and all these scientists.” What’s the worst that could happen? It’s literally scientists who are studying the atmosphere, and its interactions with the oceans, land, and sun.

Here we are, in the year 2023. And in my life, and in the life of my children, and in the life of my in-laws, I am connected to the internet all the time. The internet was never built to be secure, the software that we write and that we use, there’s nothing making it secure unless we decide to do things like look for security vulnerabilities, find security vulnerabilities, [and] fix security vulnerabilities.

Wade Baker:

I can remember 15 or more years ago, when we were looking at that I really felt there was an overwhelming ‘the users are the problem’ mentality. Oh, these stupid people doing dumb things all the time. That’s why security is bad. That has thankfully evolved to a much more positive direction over the intervening years.

I try to always emphasize that, yes, humans are a risk. They do things that put data at risk and allow threats to take place and create vulnerabilities. But they’re also a huge, huge asset that needs to be protected, encouraged, and invested in.

A stat that has always stuck in my mind, even though I first saw it many, many years ago, is when we looked at how data breaches were discovered—this was pretty early years—humans were the ones that found them most often more than the technology and the product because they saw something weird happening and they investigate it. Lo and behold, there’s an event.

Wong:

The first ransomware attack happened when I was six years old. There was this screen—“Hey, can you mail $189 to this PO box in Panama.” Then in the last couple years, the average ransomware payment is like half a million dollars.

The thing about something like ransomware, is if an organization actually has an up-to-date inventory of their assets, if they’re actually looking for and fixing vulnerabilities, if they are doing backups and making sure those backups work—they are actually relatively immune to ransomware. But I don’t know of any high-growth, hot startup company who’s going to say, “2023 is going to be the year we make sure that our backups work.”