19th October 2015
Cyber Security Human Factor: Lessons from the Pentagon
A Harvard Business Review report “Cyber Security Human Factor Lessons from the Pentagon” says that the experience of the US military provides an object lesson for corporations on how to protect data and defend their networks.
According to the report, the US military, an obvious target for hackers of all shapes and sizes from around the globe, can
“detect and remedy intrusions within hours if not minutes and from September 2014 to June 2015 alone it repelled more than 30 million known malicious attacks at the boundaries of its networks. Of the small number that did get through few of them, 0.1% compromised systems in any way”.
The article concludes, entirely correctly, that given the sophistication of many of the US military’s cyber adversaries that this record is a significant achievement.
The thrust of the article is that whilst technology is important it is the human factor that must be concentrated upon, trained and improved in order to increase network security by reducing the basic human errors which are at the root of most breaches, for example, by individuals failing to use secure passwords or inserting USB drives containing malware on to secure desktop machines.
Technical improvements have also been achieved by simplifying and standardising the 15,000 networks that existed within the US Department of Defense in 2009 into a single unified architecture (known as the Joint Information Environment). That provides advantages in terms of security through the ability to have standardised systems.
However, in simple terms, people matter more than technology and the way that corporations can best protect themselves from cyber intrusion is by creating a working environment and culture which recognises the importance of security and minimises risk.
The article draws comparisons with “high reliability organisations” where the consequences of a single error can be catastrophic, such as for example, the air traffic control system or operators of nuclear power plants.
The consequences for not taking cyber security threats seriously are severe; in a 2014 study by the Ponemon Institute the average annualised cost of cyber crime incurred by a benchmark sample of US companies was 12.7 million Dollars, a 96% increase in five years. Meanwhile the time it took to resolve a cyber attack had increased by 33% on average and the average cost incurred to resolve a single attack totalled more than 1.6 million Dollars.
Thus the article is a salutary warning for organisations of the consequences of neglecting to implement a culture of that recognises the importance of cyber security.