Assessing the Human Element in Cybersecurity

Building controls represent an easy target for hackers, as most legacy building automation systems exist without cybersecurity included in the technology. These breaches are more problematic, as they signify vectors into the rest of the enterprise. Yet technology is not the only one at fault here. Lack of skilled IT personnel and insider knowledge also represent significant challenges to securing data and protecting privacy.

Economies Need a Stronger Cyber Workforce

The evolution of cyber threats in both scope and complexity have created an industrywide reliance on security technology vendors and service providers to ensure the safety of sensitive data. However, the increasing integration of advanced security hardware, software, and services requires additional training and qualified talent to install, manage, and troubleshoot it. The growing demand for IT professionals has exceeded the industry’s supply of skilled labor, creating a prominent education gap within the market. A report by Cybersecurity Ventures estimates there will be 3.5 million cybersecurity job openings by 2021. To help close this gap, organizations like the National Integrated Cyber Education Research Center in Louisiana are providing resources at the state level to educate students for building a stronger cyber workforce. As these attacks continue to intensify, the industry’s workforce shortage represents a significant barrier to combating Internet of Things threat vectors. 

Corporations like Microsoft have responded to the workforce shortage by placing most of their IT security into the hands of third parties. In fact, Microsoft estimated that 75% of infrastructure will be under third-party control by 2020. Outsourcing security may present new problems. However, according to Vice President of Managed Security Services at Herjavec Group, Melissa Zicopula, “Having a partnership with a third-party Security Operations Center provider is beneficial to companies that have limited IT resources and lack internal security expertise.” This outsourcing trend could present a major opportunity for cyber vendors and help companies meet their workforce needs. While third parties have their work cut out for them in terms of recruiting security talent, they are in the best position to do so.

Employees Can Be Just as Dangerous

Despite new initiatives to train a cyber workforce, it is important to identify the right people, as employees can be a major threat to an enterprise. Studies show that a significant portion of cybersecurity incidents originate from or are facilitated by a current or former insider. Disgruntled or financially motivated insiders (e.g., a director, executive/manager, employee, or contract worker) with access to the network or system operations of a building can be incredibly destructive. A recent decision by the Supreme Court of Newfoundland and Labrador illustrates how employees can be a major source of cybersecurity and privacy risks. The court ruled against the admissibility of IT expert evidence. This case, among several others, suggests that organizations must carefully consider who they place in trusted roles, the systems they use to protect data, and what measures they might take to guard against human risk. 

The need for security resides not only at the device or network level, but also in the people interacting with those systems. Thus, whether it’s outsourcing to a third party or taking security measures into your own hands, managers are encouraged to stay vigilant against attacks by investing in trustworthy people from the ground up.