How to solve the human challenges of cybersecurity

To prevent cyberattacks, companies must invest in training and education, says Ray Rothrock CEO RedSeal

How to solve the human challenges of cybersecurity

The key to preventing cyber attacks, Red Seal CEO Ray Rothrock tells TechRepublic's Dan Patterson, is to invest in training and education. The following is an edited transcript of the interview.

Dan Patterson: Ray, let's start with the big question, how do we solve the human component of cybersecurity challenges?

Ray Rothrock: Well, thanks Dan, for having me on. The human component, well I don't know how we solve it other than through training and education. It should be as normal in a corporation or a business we should all be aware of a certain amount of cyber hygiene, if you will, some people hate that term, but it's actually quite accurate. It's just like cleaning your fingernails, and combing your hair, and brushing your teeth, you just got to be aware and that self awareness is hard to come by, some people don't have a lot of self awareness, when it comes to things. Their curiosity, they see this attachment in a very salacious email, and they'll click on it and all of a sudden you're done for.

Verizon reports that 95% of all the successful exfiltrations start with a simple phishing attack. I got a cool piece of information, Benjamin Franklin in the Revolutionary War used phishing as writing letters and pretending to be other people in order to get certain actions out of folks. This has been going on for actually phishing goes all the way back to kings. The company I run, RedSeal, it's about the wax seal the a king used to put on a document therefore it was official, the authority. Phishing is about looking like the authority but not being and causing you to do things.

SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)

We just need to train people and we do it all the time. Also companies need to have policies. Right? Let's say you fail a phishing test once and I do it twice and a third time and you fail it, well you're hurting my business. It's like, "you don't know where to put the garbage or you don't know how to keep the refrigerator clean or whatever it is, you're hurting my business, so therefore I need to have a policy to deal with that." I know companies that have set up policies, where if you fail three times in a row, they can let you go or demote you, or take your computer away from you which is pretty, in this day and age, digital age, is pretty tough.

Training is very important and awareness is very important. It starts at the top, it's a cultural thing. Right? The CEO's got to know, CEO's got to demonstrate that, the team's got to demonstrate that, all the way down to the troops, it's just forever.

Dan Patterson: I love the idea of responsibility. I'm a little sketchy about the idea of punitive actions because, as you know, and I know many of the victims of phishing attacks are executive and not sure they would be subject to the same type of "we will let you go if you continue to fail this." What do we do on an executive level, and a ground troop-level to make sure that we are, at least with cyber resiliency, we're all on the same footing?

Ray Rothrock: That exact point... last week I was at Cyber Week in Israel and that exact point about, what do you do when the CEO violates or the officer are more critical asset, the human being is just in a position that you can't replace. Well, you have to to somehow screen them, you can, in fact... there are technologies whereby you can contain it quickly in the event of a failure. You can actually do things about that, from a technological point of view, but at the end of the day, you just have to sort of look them in the eye, and grab them by the hands, or don't let them touch their computer or rip off all the attachments. I mean, you could send an email to them bald, right, without any hair on it and just send it to them and then they have to deal with it.

The other thing is skeptical in the phishing area. It's like, if you're skeptical don't answer it, just delete. If it's serious, they'll call you or they'll come back to you. That's the thing, I tell an executive, especially if they really want your attention, they're gonna come at you again. Just if it looks funny just delete it.

Also see