Security is a complex, sociotechnical system. In simpler terms, it’s an interaction between technology, process and people. During the early days of technology, it was there to help people process information faster and more accurately. But technology never took over – we were always in charge and trusted to do the right thing.
So how have we got to a place where people can be mistrusted in security circles? And can we use AI to turn them from a security vulnerability into a security asset?
Humans are a vulnerable security link
To illustrate human fallibility, let’s think about passwords. We are all told that passwords have to be long, complex, random, and different. In a business environment we are also compelled to regularly change them, as the consensus is this helps security. But does it really?
There is no hard evidence that enforced password changing actually helps security. The main effect is making it harder for us to remember our passwords. This pushes us to very human coping strategies, like using weaker (and therefore more memorable) passwords, using the same password for multiple applications, or keeping written notes of which password is needed for each application nearby.
Why we fall for email phishing
When it comes to email phishing, one employee falling for a single phishing attack can lead to disaster. Businesses know this, so they’re still trying to train users to never, ever fall for phishing emails. The problem is this is impossible. And then when employees inevitably fail, they’re punished for making mistakes, only making things worse.
Modern phishing emails can be really hard to spot. You may be thinking “I could easily catch them!” Think about it realistically though, how carefully do you check every email that turns up in your inbox during an average working day? Especially when you have multiple other things on your mind at the same time?
The honest truth is nobody can promise to catch every single phishing email, every single time. Spear phishing emails can be highly targeted, containing accurate personal information in order to convince you they’re legitimate. Even when people have been trained to look for the signs of phishing, they can still be tricked into clicking malicious links or handing over sensitive information.
Training alone is not enough
We tell people to decide if they trust emails. What does that even mean? How many employees are really equipped with the right skills to read email headers and make a sensible decision on whether to trust them?
Phishing attacks are specifically designed to evoke emotional responses – cybercriminals want us to panic and react quickly. During training, we react slowly and rationally. It’s very difficult to train people to think their way out of situations where they’re not thinking rationally!
In all honesty, it’s simply not possible to immunise all users against every phishing attack. Punishing people for clicking bad links only hurts them, wastes time, costs money, and most importantly – it doesn’t solve the problem. We got to this position because we’ve spent years and years trying to fix people, when there’s a better path to take.
Make security work for people
People will often work around security restrictions that stop them getting their jobs done. This mostly happens because they want to get their work done, and security is getting in their way. However, the fact that people want to get their jobs done is a good thing and we should build on that! If security doesn’t work with people, it doesn’t work.
It’s worth remembering that people are the most important link in security. People can navigate our technology when it goes wrong. Our processes, which can be cumbersome and unhelpful. And our policies, which can be long and impenetrable. Only people can handle all of this complexity and uncertainty and nuance, and make our businesses work.
Intelligent anti-phishing solutions
As security professionals, we need to think “people centric” all the time when implementing new systems or new procedures. We need to deliver intelligent security that works for people by playing to their strengths and helping them to reach their goals. This is where AI technology comes in.
The beauty of AI is it doesn’t react with emotion. That’s why Egress Defend users machine learning and natural language processing to assess every inbound email with pure objectiveness. It works unobtrusively in the background to detect even the most sophisticated forms of phishing and alert users in real time.
Empower your people to focus on being productive, rather than having to pore over every email for signs of phishing. Learn more about Egress Defend here, or secure yourself a no-strings-attached demo.