It’s the Age of AI, but Security Still Needs a Human Touch

Artificial intelligence is rapidly improving cybersecurity, but human vigilance and intervention are still crucial to prevent breaches.

Content originally appeared on The Modern Software Factory

Hackers love artificial intelligence as much as everyone else in the tech world. In fact, cybersecurity strategist Anup Ghosh recently reported that hackers are increasingly tapping AI to improve their phishing attacks.

“The evidence is out there that machines are far better at crafting emails and tweets that get humans to click,” Ghosh told a recent security conference, reports Computer Weekly. “Security companies that fight these bad guys will also have to adopt machine learning.”

An AI security arms race is likely coming as hackers’ machine-learning-powered attacks are met with cybersecurity pros’ machine-learning-powered countermeasures. But AI advances alone aren’t responsible for the worst hacks these days. According to Verizon’s 2016 Data Breach Investigations Report, the biggest security breaches often begin with preventable human errors.

The much-discussed Equifax security breach, for example, likely could have been prevented had the flaw in the Apache Struts web application framework been patched in a timely manner. A single spear phishing click compromised three billion Yahoo user accounts. And hackers used the pilfered credentials of an HVAC vendor to steal 70 million Target customers’ data, including 40 million credit card numbers.

In all three of these high-profile hacks, an alert employee—and that means anyone, not just the CISO and their support team—could have made a difference in foiling the breaches.

The lesson? In 2018, companies can’t rely solely on the latest AI-powered security software to prevent cyber attacks. Security needs to be a 24/7, company-wide human effort.

Human Intervention Matters

According to Mark McGovern, Vice President of Product Management at CA Technologies, “The need to have security awareness in your culture and in your workforce will never go away. Security is about building and enabling trust. The more trust customers have in a business, the more business they will do with that company.”

And to build that trust, he says, businesses must emphasize the importance of security throughout their culture. “Today, we can fully automate just about anything. Automating security has been challenging, but it’s a big focus now,” he says. “Having a security mindset throughout the company ensures you’re always building and enabling trust with your customers.”

To better understand if your company has the security mindset and the human touch needed in today’s age of AI, ask yourself the following questions:

1. Does HR onboarding include security training?
When new employees join a team, do human resources teams effectively convey to them the value of your data assets, your security protocols and their individual responsibilities to safeguard company data? “Compliance is not the same thing as security,” McGovern says. “By its nature, compliance is a lagging indicator and the least common denominator. It’s the bare minimum versus going out of your way to support your customers and build trust.”

2. Is DevSecOps a priority?
What shared accountability exists to ensure that all future application development remains secure? Is security discussed at the beginning of each development cycle and then integrated throughout, or is it only checked and validated prior to product release? David Wayland, Senior Security Program Manager for a Fortune 500 company, urges companies to prioritize DevSecOps from the start.

3. How often do you revisit security protocols?
How frequently do you assess corporate-wide security for governance and compliance? How often do you hold (and update) training programs to ensure company-wide awareness of changing threads? A recent survey by Deloitte and Compliance Week found that “40% of companies do not perform an annual compliance risk assessment.”

These questions are meant to inspire high-level thinking about your corporate security culture. Protecting your company demands that your skilled security professionals educate the greater workforce and instill the right mentality as well as the governance procedures across each department.

Before the Target breach, it was hard to imagine that 70 million customers’ records could be stolen due to a seemingly minor oversight. Protect your company from a similar attack: After you’ve deployed the most-advanced security software available, make sure you’re mobilizing the next-most-important security asset: your employees.

About the author

Bill is a speaker, author and certified leadership coach. He actively seeks out and supports those who are brave enough to build a better future.