From Alan’s Desk: Your Cybersecurity Frontline Is Your People, Not Your Technology

But every tech professional knows that hacking is nothing like it’s portrayed in the movies. It’s more than that. And the first line of defense for every organization isn’t a firewall or a zero-trust network strategy. It’s the people in the organization.

Consequently, by focusing too much on technology and not enough on training and organizational protection, many enterprise cyber defense strategies miss the mark and leave huge gaps in their network security.

Today’s Attack Surfaces Are Massive
One key reason for this is simply the scope of the modern attack surface. When you have five people working in one office and only two of them have networked computers, cybersecurity is more straightforward. But when you’re a company or government agency with 10,000+ employees, or even if you simply have some or all your staff working remotely, the attack surface is exponentially larger and protecting it becomes much more complicated.

Consider that simply by letting your staff work remotely, all their computers have become potential entryways or attack vectors into your network. When I bring this up during a training session, I often hear people say “oh, not to worry. I use a VPN.” Unfortunately, a VPN isn’t a silver bullet. It may hide your IP address, but that has little value if your computer is infected through your home network. And using a VPN at home means your level of malware protection is only as good as the least-secure computer on that network.

So, given this reality, it’s simply unrealistic to expect a tech team, no matter how large or skilled, to be able to protect all the potential attack surfaces of today’s enterprises by itself. Everyone in your organization must be involved.

Analog Hacking Is Real and Powerful
Another thing to keep in mind is that there are many ways to get at your data.

Today, where we all have supercomputers in our pockets and kids are as savvy with stranger-danger online as they are in person, it seems odd to imagine that you can effectively hack a network with a telephone.

But people continually underestimate the importance of analog security. By just going through a company website, a few social media platforms, and making a phone call to a company inquiring about a specific employee, you can get all kinds of sensitive data, from banking information to home addresses.

And we all tend to use passwords that are easy for computers to crack. Coming up with more complex passwords makes them harder to remember, and we tend to assume that if we haven’t been targeted in the past, then we’re safe. It wouldn’t take much of a brute force program to use the information collected from analog hacking to break into a lot of critical places, like a bank account, for one. And all these people represent potential pathways into your network, no matter how good your firewall is.

Think Like a Hacker to Protect Against Them
The important thing to understand is that cyber attackers are at least as sophisticated as the best engineers protecting your network are. In the past, we focused on protecting assets, by using locked doors, badges, and private, air-gapped networks. Today, we protect the network perimeter with controlled access and multi-factor authentication. And the future of cybersecurity is continuous adaptive technology. Adaptive AI is finding ways into networks that nobody has ever thought of, and that can’t reasonably be anticipated.

In other words, the job of securing networks is getting harder, not easier. And it’s becoming more important than ever to understand that network security starts way before your technology. Every person connected to your enterprise, either directly as an employee or indirectly as a client or collaborator must be part of your cyber defense strategy.

This is why in the Information and Cybersecurity Systems course at the uOttawa Professional Development Institute, we teach not just the cyber defense paradigm but the whole structure of a cyberattack from start to finish. And we’re one of the few North American institutions to teach cybersecurity from this organizational perspective.

About the Author
Alan McCafferty is a Senior Business Analyst with 25+ years of progressive experience working with public organizations, not-for-profits, start-ups, and multi-national corporations. Educated in Canada, the USA and Europe in multiple disciplines including Engineering, Business, Risk Management, and Lean 6 Sigma, he is the author of more than 25 white papers and the recipient of the Canada Award for Excellence. During his career, Alan has led the delivery of multi-year $1 billion+, mission critical information technology projects. As a Cyber Security SME, Alan was key in the developed of the University of Ottawa Professional Development Institute cyber security program and teaches several of the courses. Alan has successfully completed IT, Security, Process, Threat Risk Assessments (TRA), Privacy Impact Assessments (PIA), health and safety projects for federal government departments, provincial healthcare organizations and national not-for-profit organizations. As a senior consultant, he uses his Lean 6 Sigma skills, along with his risk and security experience to help organizations implement low waste, and effective lean processes in areas such as information security management systems, business continuity, department security plans, quality management systems, health, and safety management systems.