The former chief information officer of the US Department of Defense has said an organisation’s cyber security budget is most effectively spent on educating staff, rather than technology.
“The single threat to your system is people. Some of it not even malicious. People ask what keeps me up at night? It’s people,” Terry Halvorsen last week told an American Chamber of Commerce event in Sydney.
“The best investment anybody can make in security has very little, initially, to do with technology. It’s make sure you have educated your workforce on IT, operations, cyber hygiene,” he added.
Halvorsen joined Samsung as executive vice president and CIO of the company's mobile communications division in April last year.
His current role came after a two year stint as CIO of the Department of Defense, and time as CIO of the Department of the Navy and deputy commander of the Navy Cyber Forces.
Halvorsen, who served as an intelligence officer during the US’s invasion of Panama and Operation Desert Storm during the Gulf War, said that staff in the Department of Defense were highly trained to avoid attacks, and would receive “a high penalty” when they didn’t. The military too was trained a lot in cyber hygiene.
But that wasn’t often the case elsewhere.
“Every major attack that’s been publicised has had a major component of that attack – either the entry or exploitation of that attack – be misbehaviour, not intentional, just misbehaviour or lack of cyber hygiene,” he said.
Halvorsen referred to a test his former department ran on a number of outside organisations involving a clearly marked malicious email.
“Subject line: ‘this is a malicious email, don’t open’. I do not want to tell you the exact click rate,” he said.
By improving its cyber hygiene by even a small degree a company can make itself less vulnerable to attack as competitors become an easier target, Halvorsen said, likening the situation to the Russian idiom of lightening the troika.
Staff education should be the priority, Halvorsen added, “do that first – and then worry about all the exotic technology”.
Although raising employee awareness around cyber hygiene – such as not sharing passwords – was effective, Halvorsen said biometrics could hugely improve an organisation’s security. The best examples, he added, were those that didn’t inconvenience individuals.
“Today it’s quite possible and it’s technically doable, I could do your identity check and you not have to change a single bit of your behaviour,” he said.
“You’re going to hit a keypad when you come in. The keypad can read your fingerprint. The way you move your hand on the keypad is as individual as fingerprinting, we know that, the data’s there. I can do [an] iris scan, I can do facial recognition. Your blood flow through your finger capillaries is quite individual. You do all that, take all those factors. You’re going to do that sign in anyway and we can authenticate who you are,” he added.
In recent months, Samsung has been pushing biometrics for authentication with enterprise devices. Its more recent smartphones are able to take fingerprints and scan iris.
Biometrics are “ideal for providing role-based access and customized security clearance in today’s enterprise” the company said in a blog post last month.
At Defense, Halvorsen said he got rid of passwords and began in 2016 the phasing out of the Common Access Card for network authentication.
The card carries a microprocessor with 144KB of memory and includes PKI certificates that allow holders to digitally sign documents with a PIN code, encrypt and decrypt emails, and securely connect to online networks.
It also stores two digital fingerprints, the holder's portrait, an identity certificate and other information.
In June last year it was revealed that Defense would begin using biometrics for computer access, with an “AI authentication technology that discriminates between authorized people and intruders by the way they behave on a workplace computer” from a Canadian firm Plurilock.
“After just 20 minutes’ tracking a user’s keystroke style and speed, mouse use, and other behaviors, Plurilock’s software builds a biometric profile unique to that user,” the company said at the time.
“Passwords are not the right way. You make people shift passwords – they will make passwords that are the same and deviate. It’s just too easy. It’s a bad practice,” Halvorsen said.
“You don’t want to make users change behavior or impede their progress with security. [Biometrics] becomes a very fast way and convenient way and frankly an inexpensive way to do it.”