Consider for a moment the concept of trust.
It is essential as it will determine our strategy for handling human risk. This field acknowledges that although individuals are a company's most valuable resource, they can also pose a significant risk in certain situations. By implementing robust Personnel Security measures, individuals serve as the first line of defence, utilising efficient procedures, technologies, and practices to detect and prevent surreptitious, malicious, and occasionally negligent actions before they result in harm.
It is crucial to acknowledge the vulnerabilities and potential risks that members of a workforce may pose to an organisation, despite our desire to trust them. By proactively recognising these factors, we can implement measures to mitigate potential harm, demonstrating care for both the individuals and the organisation as a whole. It is imperative that our colleagues have confidence in us as their security guardians and advisors to make informed decisions and recommendations that prioritise the well-being of the organisation, its personnel, and its assets.
Trust after all is the belief that you can trust someone or something.
We want to be around people that we trust.
We want to be viewed to be trustworthy.
If you trust someone, you believe that they are honest and sincere and will not deliberately do anything to harm you.
How though do we assess this and in particular how do you assess this in the digital space?
Within the realm of cyber defence, a number of options have been proposed, which may be appropriate for an organisations culture.
We can Trust Everyone and let people navigate across a physical and digital landscape, trusting them to do the right thing. Trust No One and adopt a Zero-Trust approach, which requires people to repeatedly identify themselves. Perhaps we may use technology to Trust but Verify, in an approach to speed things up. When adopted in concert with a role-risk-based approach to managing insider risk, this mature approach may strike a balance between security and the freedom of movement that organisations believe they need to ‘move fast.’
Perhaps, though, these steps are no longer enough to keep up with the evolving tactics of threat actors. Personnel Security practitioners have been proactive in communicating that as organisations implement increasingly sophisticated physical and cyber security measures to protect their assets from external threats, the recruitment of insiders becomes a more attractive option for those attempting to gain access. But what if the insider themselves morph into something other than being an infiltrator, exploited individual, malicious actor, or incompetent employee?
What if the insider, isn’t actually someone at all?
Deepfakes serve as a testament to the progress made in technological research and development; however, they also pose a significant security threat. Numerous reports have highlighted the realisation of this risk and the subsequent devastating consequences. Despite the recognition of this risk some time ago, it is becoming increasingly evident that we may not be sufficiently prepared to address it. The concept that individuals' identities represent the new security perimeter, as proposed in the 2021 publication 'Socio-technical Security: User Behaviour, Profiling and Modelling and Privacy by Design', underscores the urgency of the situation. With deepfakes capable of perpetrating fraud, manipulating behaviors, and influencing opinions on a large scale, it is imperative that we reassess our security protocols to determine their effectiveness. While the evolving threat landscape mirrors the rapid pace of technological advancements, the necessity of technology in mitigating these risks remains a subject of debate.
In attempt to improve security, the U.S. Department of Homeland Security has provided recommendations of what to look for when communicating virtually, in order to help assess the integrity of a communication.
People should assess:
Video/image
· Blurring evident in the face but not elsewhere in the image or video (or vice-versa)
· A change of skin tone near the edge of the face
· Double chins, double eyebrows, or double edges to the face
· Whether the face gets blurry when it is partially obscured by a hand or another object
· Lower-quality sections throughout the same video
· Box-like shapes and cropped effects around the mouth, eyes, and neck
· Blinking (or lack thereof), movements that are not natural
· Changes in the background and/or lighting
· Contextual clues – Is the background scene consistent with the foreground and subject?
Audio
· Choppy sentences
· Varying tone inflection in speech
· Phrasing – would the speaker say it that way?
· Context of message – Is it relevant to a recent discussion or can they answer related questions?
· Contextual clues – Are background sounds consistent with the speaker’s presumed location?
With the increased movement of people and devices, the security perimeter has moved from static security tools like firewalls to people, their identities, and access. Proactive security tools and training has become a necessary component of an effective ISMS, providing time to deploy tools to delay movement across a network, deny access to assets, and respond to the threat actors themselves. Alongside continuing to develop appropriate behavioural change programs designed to increase the security-mindedness and vigilance of employees, Personnel Security practitioners may do well in the case of this risk to encourage organisations to review their processes. Organisations may wish to ensure that employees can't make decisions that affect their critical infrastructure, 'crown jewels' and finances independently or outside of due process. A proportionate approach to security may place controls around the use of virtual communications and, in some cases, require business interactions to take place in person.
While organisations may see this as a potential blocker to business, reducing their ability to ‘move fast’, if the information shared or the required activity is so important, surely it should take place safely? After all, we all want organisations, their assets and people to still be around to protect. Acting as the gold thread of security convergence, Human Factor security programmes like TRUSTiN consider all structures and practices, in order to protect people, property, information and reputation.
Get in touch with the team, to discuss your needs:
Wood, P. (2021). Socio-technical Security: User Behaviour, Profiling and Modelling and Privacy by Design. Challenges in the IoT and Smart Environments: A Practitioners' Guide to Security, Ethics and Criminal Threats, 75-91.
Comments