Big data has shed some important insights on a number of facets of modern organizational functions. One of the areas that has been shaped by big data is cybersecurity.
We have talked about the importance of using big data to strengthen cybersecurity by creating more robust defenses. However, there are also less direct reasons that big data can be important for stopping cyberattacks. One benefit of data-driven cybersecurity is that organizations can have a better understanding of the type of attacks that are successful, so they know how to pool their resources better.
In the world of cybersecurity, there are some uncomfortable truths. One, perennially raised by commentators from many industries, is that businesses are slowly losing the fight against ransomware. Another – perhaps even more problematic – is that there is mounting evidence acquired from large scale data analytics that shows that diverse teams are actually more likely to fall victim to such an attack.
Now, don’t get this wrong: it’s certainly possible to build diverse, secure teams. If done correctly, in fact, diversity can actually lead to stronger, more resilient networks and workplaces. But in order to achieve that, first we must face the uncomfortable realization that diversity and security are often at odds with each other.
In this article, we’ll explore why, and then look at how to build truly diverse and secure environments. Big data has shared some important insights, as you can see below.
1. The ransomware explosion
First, let’s look at the primary threat vector here – ransomware. If you work in cybersecurity, you can’t help but have noticed the huge rise in ransomware over the past few years. The pandemic and the associated move to home working for millions of employees around the world, seems to have supercharged an already booming economy. A number of cybercriminals are using more sophisticated AI tools to conduct more frightening attacks.
This has specifically been a 72% increase in ransomware attacks in the second half of 2020 in comparison with the first half, and many experts predict that this trend will continue long into the new year.
Despite this huge spike, consensus about how to deal with ransomware remains thin on the ground. Federal law enforcement agencies recommend simply not paying the ransom, and last year more than 225 US mayors signed on to a resolution not to pay ransoms to hackers. These “strategies” are less than useful to companies looking to reduce the risk of falling victim to such attacks, though.
Such preventative approaches are still under-developed. Many firms have now rolled out AI-based training programs that purport to give employees the skills needed to spot phishing attempts, which is still the most common vector for ransomware.
2. Ransomware and diversity
The truth is that we will not be able to reduce the number of ransomware attacks until we harden the weakest part of the security chain – employees – and empower them to avoid and report the most common attack vector for ransomware, namely phishing. Unfortunately, this is where the desire to increase security runs straight into another.
At first glance, the connection between diversity and ransomware might not be obvious. Think about how the average piece of ransomware is now infiltrated into networks, however, and it soon becomes clear. Today, hackers are capable of launching highly sophisticated social engineering attacks, and there is some evidence that people who identify as part of a racial, social, cultural, or sexual minority are more likely to fall victim to such an attack.
The reasons why this is the case are complicated. However, and without getting into deep psychological explorations, it’s pretty clear that the strong communities that have been (rightly) built up around these identities might make them vulnerable to being taken advantage of.
Non-binary people are a tiny minority in most workplaces and universities, for instance, and therefore might drop their guard a little if they receive an email that purports to come from someone who shares their experience, but which in fact is a phishing attempt.
3. Building security through diversity
This might be uncomfortable reading for some managers, but it’s important to recognize that a drive toward diversity, without thinking about the security implications of this, can lead to much more vulnerable systems. That said, it’s important to recognize that people from minorities are not a security risk in themselves.
Quite the opposite, in fact. A growing body of evidence suggests that diversity is actually fundamental to good security, and that initiatives to include women in information security can lead to dramatic increases in the resilience of systems and workplaces.
This is a view shared by many professionals. A study published by EDUCAUSE back in July 2020 explores industry responses to CIO’s Commitment on Diversity, Equity, and Inclusion (DEI) initiative, and found these responses to be overwhelmingly positive. Fully 83.1% of respondents strongly agreed that inclusive workplace environments create a more effective team of tech professionals.
The notion that diversity can be harnessed to improve security is not a new one, either. Despite now being quite outdated in terms of statistics, the 2018 (ISC)2 report Innovation Through Inclusion: The Multicultural Cybersecurity Workforce has long offered cybersecurity analysts a way to think about how to create a diverse, equitable, and inclusive IT department, and how this can actually improve cybersecurity in the long term.
Updating the advice contained in that ISC report, some analysts are now turning to another recent concept – “defense in depth” – as a way to think through the issues created by diverse teams.
The thinking goes something like this: thinking about your security through a defense in depth approach focuses your attention on putting in place many levels of defense. These levels of defense should include the most effective tools that any business can afford to use.
For example, it’s very important to handle customer financial data as securely as possible, and most businesses can do so with online invoicing systems that come PCI-DSS certified. This means that all customer personal and financial data will be kept safe since it will be encrypted, regularly audited for security vulnerabilities, and only accessed by authorized users who have approved and verified user ID’s.
Achieving this kind of increased level of security will require a change in approach on behalf of many organizations, however. At the moment, many of the training programs focused on preventing phishing attempts assume that employees (or students, or colleagues) are susceptible to a certain set of offers: white, male employees might not be aware of the emotional sway (and potential danger) that social engineering tactics can have on their less well represented colleagues.
Conversely, such an approach can also take advantage of brand new, potentially expensive technologies, such as the systems that aim to use AI to solve staffing shortages and simultaneously improve cybersecurity.
As remote work becomes the norm, all employees should be mandated to use an enterprise-level virtual private network (VPN) to encrypt their data and mask their IP addresses while using a company network. The most effective VPNs come installed with proven L2TP and IKEv2 encryption levels, which are more secure than the PPTP encryption that was previously the standard in most VPN servers.
The link with diversity is apparent when one considers that defense in depth approaches rely on a simple premise – that no one part of your systems are secure, and that no two employees are the same. If you’ve put in place an employee referral program to find new staff members, for instance, you should not assume that staff recommended by their friends or colleagues share a modicum of cybersecurity knowledge. Instead, train everyone, and protect everyone.
Big Data Shows Us More About the Relationship Between Diversity and Cyberattacks
Big data has helped us identify a possible security risk for various organizations. However, these data-driven insights shouldn’t be the end of the world for organizations trying to thwart cyber-criminals. If handled correctly, there is no reason that diverse teams should not be as secure as their more homogeneous analogues. And, on a more philosophical level, concerns about the security of diverse teams should not be used to argue that we shouldn’t be more diverse as an industry. We can do two things at once: we should think about how to end the gender diversity problem, and also how to improve the safety of all employees, at the same time.