It's time to start patching the Human OS

Computers and mobile devices store, process and transfer highly valuable information. As a result, your organization most likely invests a great deal in protecting them. Protect the end point and you protect the information. Humans also store, process and transfer information -- people are in many ways are nothing more than another operating system, the Human OS.

Yet if you compare how much organizations invest in securing their computers versus how much effort they put into teaching employees how to safeguard information, you would be stunned at the difference. For example, organizations typically invest in the following resources to protect an end device:

Antivirus software

Patch management

Virtual private networks

Host-based prevention systems

Two-factor authentication

Vulnerability scanning

End-point encryption

Log monitoring

Now go down that list and add up the cost for securing each computer. Then add support contracts, help desk phone calls, and how many full-time employees it takes to maintain all of this technology. You probably end up spending $100 or $200 a device.

[3 reasons why employees don't follow the rules]

Now, let's go through the exact same process for people. How much to secure each employee? Hear those crickets chirping? Your organization is most likely spending 20 to 50 times more on securing computers than on securing the Human OS, if it's working with those employees at all.

If finding the dollar amount for each computer is too complex, try a simpler metric. Count how many people you have on your information security team. Now, out of all those people, how many focus on securing technology and how many on securing the Human OS? You probably will end up with a very similar metric, something like 20-1 or 50-1. And organizations still wonder why the human is the weakest link.

Technology is important, and we must continue to invest in and protect it. However, eventually you hit a point of diminishing returns. We have to invest in securing the Human OS as well, or bad guys will continue to bypass all of our controls by simply compromising the human end-point.

Think of it in these terms: Fifteen years ago was the wild, wild West of hacking, the golden age of worms. Cyberattackers could easily compromise millions of systems by randomly scanning every system on the Internet and break into anything that was vulnerable, which was most systems in those days. We in the security community felt a great deal of pain and invested heavily in securing computers. Nowadays, computers come out of the box with firewalls, minimized services, automated patching and memory randomization. Fifteen years later, it has become much harder to compromise a computer.

[Using metrics to measure human awareness]

But in those same fifteen years, what have we done for the Human OS? Nothing. As a result, the Human OS is still stuck in the days of Windows95, WinNT or Solaris 2.5. There is no firewall on by default, all the services are enabled, and this operating system is happy to share data with anyone that asks.

Until we begin to address the human problem, the bad guys will continue to have it easy.

Lance Spitzner is the training director for the SANS Institutes Securing the Human program.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lance Spitzner

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts