CSO - Computers and mobile devices store, process and transfer highly valuable information. As a result, your organization most likely invests a great deal in protecting them. Protect the end point and you protect the information. Humans also store, process and transfer information -- people are in many ways are nothing more than another operating system, the Human OS.
Yet if you compare how much organizations invest in securing their computers versus how much effort they put into teaching employees how to safeguard information, you would be stunned at the difference. For example, organizations typically invest in the following resources to protect an end device:
Virtual private networks
Host-based prevention systems
Now go down that list and add up the cost for securing each computer. Then add support contracts, help desk phone calls, and how many full-time employees it takes to maintain all of this technology. You probably end up spending $100 or $200 a device.
Now, let's go through the exact same process for people. How much to secure each employee? Hear those crickets chirping? Your organization is most likely spending 20 to 50 times more on securing computers than on securing the Human OS, if it's working with those employees at all.
If finding the dollar amount for each computer is too complex, try a simpler metric. Count how many people you have on your information security team. Now, out of all those people, how many focus on securing technology and how many on securing the Human OS? You probably will end up with a very similar metric, something like 20-1 or 50-1. And organizations still wonder why the human is the weakest link.
Technology is important, and we must continue to invest in and protect it. However, eventually you hit a point of diminishing returns. We have to invest in securing the Human OS as well, or bad guys will continue to bypass all of our controls by simply compromising the human end-point.
Think of it in these terms: Fifteen years ago was the wild, wild West of hacking, the golden age of worms. Cyberattackers could easily compromise millions of systems by randomly scanning every system on the Internet and break into anything that was vulnerable, which was most systems in those days. We in the security community felt a great deal of pain and invested heavily in securing computers. Nowadays, computers come out of the box with firewalls, minimized services, automated patching and memory randomization. Fifteen years later, it has become much harder to compromise a computer.
But in those same fifteen years, what have we done for the Human OS? Nothing. As a result, the Human OS is still stuck in the days of Windows95, WinNT or Solaris 2.5. There is no firewall on by default, all the services are enabled, and this operating system is happy to share data with anyone that asks.
Until we begin to address the human problem, the bad guys will continue to have it easy.
Lance Spitzner is the training director for the SANS Institutes Securing the Human program.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts