Tools such as endpoint detection, anti-malware software, and firewalls play a vital role in protecting from the diversity of cyber threats businesses face today. However, for those tools to work, they need to be properly installed, configured, and updated by people. When considering the human factors of cybersecurity, we often think of social engineering scams. But equally as important is managing human errors. In fact, this form of human risk was exactly what led to the massive Colonial Pipeline ransomware attack earlier this year.
Human risk involves not just what we do, but also what we don’t do. This was the case with the colonial pipeline attack. In June, the CEO of Colonial Pipeline, Joseph Blount, told a Senate Committee that the attack was caused by unauthorized accessed to a virtual private network (VPN) the company had once used and that did not have multi-factor authentication (MFA). MFA is a tool that requires users to verify their login through a second means, such as a text message or email that contains a unique code. Because this VPN did not use MFA, that extra layer of security was missing and the hackers got in unnoticed. The real kicker, however, is that Colonial Pipeline was already using a new VPN with more security features. However, the legacy VPN was still installed on Colonial Pipeline’s systems. According to Blount, the VPN the hackers accessed “was not intended to be in use.” The ransomware attack was therefore a result of someone within Colonial Pipeline neglecting to take the old VPN off of the company’s servers.
Risk, no matter the form, is the result of habits and behaviors. In order to address these issues, we need to create healthy, sustainable habits that limit human risks. They say old habits die hard but creating sustained change is possible if these three elements come together:
1. Keep it simple
When trying to create new behaviors for your employees, it’s vital to break things down into small pieces. Asking questions like “What behaviors do I want to do that will mitigate risk” is a good place to start, but once you have a list, choose one behavior and focus on that. The reason is that people are more likely to do something consistently if it’s simple and easy to do. By focusing on one behavior at a time, your staff is far more likely to follow through than if you give them a whole list of changes you want them to make.
2. Use a prompt
The next part of the equation is creating a prompt that alerts your employee to do the behavior you are designing for. This prompt can take any number of forms, like a scheduled email, a slack notification, or a checklist. When we have a habit, we aren’t actively thinking about having to do it, so when you want to create a new habit prompts will break that automatic thinking and make room for them to incorporate the new behavior you want to see.
3. Provide positive feedback
Lastly, once the new behavior is accomplished, it’s important to follow up with some sort of positive feedback. This helps reinforce the importance of the behavior by helping your staff associate this new habit with a positive feeling, making it more likely they will follow through again in the future.
Using Colonial Pipeline as an example, applying these behavioral principles for their IT could have helped prevent the hackers from gaining access. First, someone in the leadership could have communicated to one member of IT and asked them to take an inventory of applications installed once a month and remove anything that is out of date or no longer in use. Then, a prompt such as a scheduled email could have been created to send to the employee on the first of every month. Finally, the employee could be sent a message thanking them for taking an inventory — they could even create a point or star system that helps employees tally the completed behaviors that Colonial was designing for.
Mitigating human risk is a central aspect of a business’s overall cybersecurity posture. And the key is to create new, healthy behaviors by putting in place a system that helps your employees form new habits in a way that’s simple and leaves them feeling successful.