Fresh Thoughts #46: The People Perimeter
- Newsletter
When we first moved into our home, the dehumidifier read 90% humidity consistently for three months. It would have read higher, but it wasn't designed to display 99%...
This humidity level had one benefit - removing the plaster in the house was a breeze - we used fish slices rather than chisels. But the drawbacks included decay, rot, and mould.
And the biggest problem was the mould that formed in our neighbour's adjoining wall because of the damp walls in ours.
The root cause of the humidity was partly the dirt floors...
partly the collection of holes in the roof...
and partly because the heating hadn't been turned on for 18 months.
That first winter was cold and miserable.
But the advice we got was simple - "Make it weatherproof. Then dry it out. You'll be fighting a losing battle if you don't stop the water from coming in."
I remembered this story earlier this week, not because of the freezing temperatures but due to a customer conversation about securing the perimeter.
Securing the Perimeter
In recent years "securing the perimeter" was an insult. It was a shorthand way of saying, "you're taking a legacy approach to security".
This negativity is because "securing the perimeter" traditionally meant "we bought a firewall, plugged it in, and have done nothing with it". But some new subtlety is emerging - and it's not about technology.
The customer I was talking with had recently fallen victim to a scam that resulted in a large sum of money being transferred. There had been multiple failures, but a healthy chunk of the blame rested outside the customer's control. One of their suppliers had critical security problems - and our customer was landed with the fallout.
The People Perimeter
Our conversation took various meandering turns, but the crux became clear...
"How do we de-risk our interactions with all third parties? Suppliers. Customers. Everyone."
This question has good grounding - the 2022 Verizon Data Breach Investigations Report headline stats included:
- 82% of breaches involved a human
- 62% of breaches involved compromising partners
We're used to getting exploited automatically within seconds by simply connecting a server to the internet without proper perimeter protection. But we're still finding our way when it comes to people working with third parties.
There's more to people's security than phishing simulations and security awareness training. However, it's rare that "credential stuffing attacks", "supply chain attacks", and "passing-off" make it to the top of the agenda.
Credential Stuffing
When a customer loses the password they reuse across many websites - you become a target. …because they probably used the same password on your website too. In which case - How do you know the difference between a hacker and your customer?
Supply Chain Attacks
When a supplier is gravely compromised and "information only our supplier could know" becomes common knowledge to hackers. The judgement of your team becomes flawed.
The often touted solution is using security questionnaires to validate a new supplier. But are you really going to answer 350 detailed security questions for a £5,000 deal? It would cost more to answer than the deal's profit.
Passing-Off
And then there are the times when hackers don't even need to come close to your business. Simply by knowing a small nugget of information - a scammer can pass-off/pretend to be you and target your customers.
"Sure, we can do that for you… pay us a deposit to this account, and... 😬... 😫...".
How can you stop this if you don't even know it happened?
Final Thoughts
Where securing the technical perimeter was relatively simple - buy a firewall and do the basics - securing the People Perimeter is a lot more tricky.
People perimeter security still needs to be solved. And businesses will likely need to become much more curious and intrusive to understand how their customers and suppliers work - all in the name of mitigating their risk.
Like the mould in our neighbour's house - it takes effort and a change of approach to stop rot and decay from infecting others. If third parties aren't prepared to make that effort - it's good to know before dealing with them.
December 20, 20223 Minutes Read
