IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cybersecurity Expert Puts Focus on Training People, Not Developing Technology

Computer systems today have come to hold people’s most private information, and the gatekeepers of such systems have a greater responsibility to protect them.

Speaking to hundreds of information technology professionals, security expert Reg Harnish did not once mention “malware.” Nor did he delve headlong into the complexities of firewall protections. Not one of his eight pieces of advice had anything to do with technology.

“Firewalls aren’t really even part of the equation when you think about the threats that are out there,” said Mr. Harnish, founder of GreyCastle Security, a firm based in Troy, N.Y. “At the other end of every piece of malware, at the other end of every phishing campaign, is a person.”

”The way we defend that is with people,” he said.

In a presentation he billed as a discussion about psychology, Mr. Harnish diverged from some of the denser topics on the program at the Pittsburgh Information Technology Audit & Control Conference held at Rivers Casino on Monday.

He began with a series of optical illusions and progressed to several audience participation experiments that challenged the viewer to concentrate on multiple stimuli at once — all to show that an employee’s awareness of security could be lax.

“We don’t need people to be experts in cybersecurity, but it’s about being willing and capable of recognizing when things are out of place,” he said.

The presentation was also a bit self-referential, Mr. Harnish admitted afterward, in that among his main goals is inspiring companies to take cybersecurity threats seriously by breathing a little life into employee education. He candidly criticized the “crappy,” in-house training sessions that he said puts employees to sleep and convinces management to seek help from outside security firms such as his own.

“They don’t see you as a trainer; they see you as an IT guy, an auditor, somebody in management,” he said. “However, if an organization like ours comes in and if we deliver the same exact message, the results are astoundingly different because we are experts.

“There’s something … in the brain that goes: ‘You guys can’t possibly be good at training; why should I listen to you?’ ”

Mr. Harnish’s comments come as major U.S. companies such as Target, Home Depot and Bank of America have reported data breaches, exposing millions of customers’ sensitive information.

In February, hackers stole information from UPMC employees, a breach that was detected when only those employees reported fraudulent tax returns. Initially, the Pittsburgh health giant thought the attack was limited to a few dozen employees, but later it expanded the warning to all 62,000 of its employees.

Last month, U.S. officials discovered Black Energy, a malicious software designed to attack water, electricity and other critical infrastructure that cybersecurity experts believe originates with Russian government-sponsored hackers.

Mr. Harnish compared the detection of a data breach to “finding a needle in a field of haystacks.” Hackers’ tactics and tools have greatly outpaced the defenses of organizations, he said.

“It’s so much worse than it used to be,” he said. “Not only do cybercriminals have far more capabilities than they did five years ago, but organizations are a lot harder to defend.”

Yet, because computer systems today have come to hold people’s most private information, the gatekeepers of such systems have a greater responsibility to protect them.

“Piling technology on top of technology and security controls on top of other things doesn’t necessarily solve the problem,” he said. “This is about convincing people to change their behavior.”

©2014 the Pittsburgh Post-Gazette