Does Security Need More Humans?
The lack of humans isn’t the problem. It’s the lack of software that can look at systems in a human-like way. The software needs to be able to notice context and meaning the way a human would. You can teach a computer to do this but it requires a very individual, custom implementation, which makes it very expensive. Which, of course, means security is not happening as fast as the IT security threats that are being developed to exploit systems.
Which Link Is Weaker–Humans or Applications?
People tend to think that if hackers attack an application, they will get something out of it. However, usually an application is the last place that will get attacked. Reason being that your IT security is strongest there. Applications probably have encryption, password hashing algorithms, and other security measures in place to fortify valuables. Instead, if you’re a hacker, you’ll find something that is softer, weaker, or more susceptible.
That means that hackers will go after less technical-minded individuals. They will go after members of accounting, legal or even the CEO.
Important people are, honestly, the worst. They’re the biggest targets. If you’re one of those people, you’re spending a lot of time learning how to run the operation and intricacies of your business. You’re not looking at all the nitty-gritty of security like a software developer, or the security department might be. Yet, these high-powered business people have a lot of access across the company, because they need access to run the business. Thus, if you want to make sure you’re protecting the company against security threats to the best of your ability, you need to make sure you’re educating the non-techies to the best of your ability.
Are Third-Party Solutions to IT Security Threats the Answer?
I’ve maintained for the past several years that canned security solutions do not do what people think they do. They do not look for new IT security threats to your system. They look for old threats that have been caught. You can have great protection for things that are known, but you’ll still get hit by that “new thing” which no one has discovered yet. That means that the custom stuff you pay a third party to set up is not going to protect you until that new thing is caught, everyone updates, and we eliminate that threat vector.
Even then, there is no guarantee that you’re protected, and that comes back to the human element again.
People don’t update stuff like they should. If you think about it, how many of your own programs have been prodding you to do updates on your computer lately? How many of them have you actually updated? Most people don’t update which means that even the known security threats, for which there are solutions, are not seeing walls go up. This is why a lot of software will update automatically—without asking—which makes my life so much easier!
Even with an expert third-party solution, there is no way to make sure you’re entirely safe all the time. If you had multiple people managing your network, looking for threats at all times—which is unrealistic for small business budgeting of time and money—you’d still get hit with something. You’d just try to catch it and limit its reach as fast as possible.
What Can We do?
The only real solution is making sure that you limit access to those people who absolutely need it. A lot of times businesses allow employees access to things that they really do not need to access. They do it because of the convenience factor, or because they think that a high-powered member of the company may have need of it at some point. And, they don’t want that high-powered person to have to ask for access to something that they’re above. But, again, it is the unlimited access that makes them such good targets, and why it’s doubly important to make sure their access is controlled.
The good news is that I was just at a local college where they were talking about implementing a program that deals with security specifically. I’ve heard that there will be a 20% increase over the next several years in the demand for security professionals. So, another way you could look at this shifting landscape in IT security is, it’s creating a lot of job opportunities for those people interested in the IT security industry.