In an exclusive interview, Andrew Rose, Chief Security Officer at SoSafe, delves into the often-overlooked human aspect of cybersecurity.
Watch the full interview to learn how to transform your organisation’s biggest vulnerability into its greatest asset.
In the field of cybersecurity, there’s one constant that remains both the greatest asset and the most significant vulnerability: the human factor. While technological advancements continue to fortify digital defences, human behaviour remains a pivotal element in determining the success or failure of cybersecurity measures.
This intricate interplay was the focal point of our recent discussion with Andrew Rose, Chief Security Officer at SoSafe, a security awareness training and human risk management company that focuses on reducing human-related security risks by leveraging behavioural science to enhance employees’ security instincts.
As an award-winning CISO with over 25 years of experience in cybersecurity, including roles at MasterCard and as a Forrester analyst, Rose brings a wealth of knowledge on how organisations can better prepare for and mitigate cyber threats.
In this exclusive interview, Rose discusses how attackers exploit human behaviours through sophisticated techniques like pretexting and social engineering, highlighting the need for improved awareness and training to empower individuals as proactive defenders.
This is especially crucial in financial services, which are prime targets for cybercriminals. Employees in this sector can either serve as the first line of defence or become the initial point of vulnerability. A single mistake can result in severe breaches of confidential information, leading to significant financial and legal repercussions.
Moreover, Rose explores the evolving threat landscape, the impact of AI on both attackers and defenders, and the importance of continuous education and regulation to enhance cybersecurity resilience.
Watch the full interview:
Topics discussed:
The past few years have seen a marked increase in the sophistication of cyber threats. Ransomware attacks, advanced persistent threats, and other malicious activities have become more prevalent and damaging. Financial services, in particular, have been at the forefront of these attacks due to the direct financial gains they offer to cybercriminals. Despite significant investments in cutting-edge technology to fortify their defences, these organisations continue to face substantial risks, primarily from the human element within their security frameworks.
Andrew Rose underscores a critical imbalance in cybersecurity investments: while approximately 90% of IT security budgets are allocated to technology, about 90% of the actual risk originates from human actions. “You can pile all of your technology controls higher and higher and buy all the latest firewalls and all the latest intrusion detection systems, but actually, what the statistics show is that it’s the human side of security, which is the major vulnerability,” says Rose.
This discrepancy highlights a pervasive underinvestment in addressing the human side of security, which Rose argues is where the most significant vulnerabilities lie.
The human element is frequently cited as the weakest link in cybersecurity, but Rose challenges this notion. Instead, he views people as the primary attack surface targeted by cybercriminals. Phishing, social engineering, and pretexting attacks exploit human behaviours and trust, making it imperative to shift focus from purely technological solutions to comprehensive human-centric strategies.
One of the evolving trends in cyber attacks is pretexting, where attackers build a narrative and establish trust with their targets before delivering the malicious payload.
“If the attackers can spread that trust out and have a text message and then a telephone call with you when they do send you the piece of malware, you find that people will click on it at a much higher rate,” says Rose.
To counter these sophisticated attacks, Rose advocates for empowering individuals within organisations to act as a human sensor network. This involves continuous education and training, enabling employees to recognise and report suspicious activities.
“We need to keep on telling them how the attacks and the techniques are changing so they can stay up to date with the threats they’re facing.”
The conversation with Andrew Rose brings to light the urgent need for a paradigm shift in how organisations approach cybersecurity. While technological defences are indispensable, the human element cannot be overlooked. By investing in continuous education and training, organisations can transform their employees from potential vulnerabilities into powerful assets in the fight against cyber threats.
Watch the full video interview: