Okay, thank you very much for being here. My name is Patrick Shirazi and I'm presenting Swedbank here. We are going to talk about why human is the most important factor in cybersecurity. I'm pretty sure in recent days, you have heard a lot regarding AI and, you know, tools and many things, generative AI that can help. But I would say human might be the most important thing. In the interest of time, I might skip some of these slides.
Yes, we are a bank. We have, let's say, 7 million private customers, half a million corporate customers and lots of these statistics. But let's get into it. This is me 20 years ago, 25 years ago. I was thinking, what if I had that amount of money? And that simple, I could buy a simple, I would say, super luxury car. And what if I could afford 22 super luxury cars? That means I could afford one simple, total average cost of a data breach.
That's how much does it cost, the total cost, because it is not just the damage itself, the recovery, building your infra again, and also fines and many things. It's just like that, 22 super luxury cars. That's why IBM. And I'm afraid to say, only one third of these breaches, you will get to know it yourself. Two thirds of them, you will get to know that by someone else, government or service providers. They will let you know you have a breach and you haven't been aware of that. So what should we do?
Should we go back to the boring security thing like, let's go for asset management and let's say, what kind of risks do we have? That's one way. Some might argue that, no, we have breaches because we don't have enough sophisticated tools. Let's go buy them. That is true in many cases, but however, tool is not just a problem. That is exciting, of course. Let's get better tools. Let's get more sophisticated firewalls, WAFs, all of these AI-enabled whatever. But is that really the case? I'm telling you no. Let me ask you this question.
These respectable names up there, what do they all have in common? They all experience breaches and they were very rich, you know, and they were really compliant with PCI DSS, ISO 27001, you know, GDPR, all of those. Compliance also doesn't bring any guarantee of security. So then what's wrong in here? What are we missing in here?
And to me, that is simple. All your cybersecurity measures are totally useless if you have an insider. That's quite simple. I heard it in an interview or let's say audio interview of an ex-CIA agent who was very skilled in hiring spies in other countries.
He said, I don't care about your cybersecurity. I have someone inside that delivers me the information. Doesn't matter what type of firewall are you using, how sophisticated it is. Why is it like that? Because insider has already authorized access to your data. That makes it difficult, you know. You have firewalls, you have IPS, IDS, all of these to don't let people in. But they are already in. And 74% of breaches, according to this data breach report of Rison, they are using human. I would say it's 100%. I can argue that it's 100%.
You know, machines don't hack each other just for fun. There is always a human behind everything. I can go on and on with these type of statistics, but let me show you one interesting thing. If this is your organization, your people, half of them are regularly doing insecure behavior online.
Regularly, on daily basis. That's what people do. And I'm afraid to say there are privileged users there as well. And that's enough, a privileged user who is doing insecure behavior, very good thing for hackers. Love that. Then what type of insiders do we have?
You know, some of them are definitely malicious, those who are doing spionage or sabotage or exfiltration or all of those. And some of them are just negligent people, inadvertent people, you know, just doing things by mistake or lack of skills. And for your information, majority of them are these people that we have.
Okay, let me just give you some use cases. Just to tell you this is really the case, you know, in South Georgia Medical Center. An employee, just the last day of work, downloaded thousands of data, thousands of patients' data into one simple USB and just quit the same day. That simple, you know. Or this got really famous in Dallas Police Department. They were migrating data from on-prem to cloud and this amount of data, 22 terabytes of data just deleted. They could recover two-thirds of them, but seven terabytes just got lost, unrecoverable. And what was the data?
Unfortunately, many footages, pictures and evidence for court cases. They just got lost, simply like that, because of a mistake. It was no malicious thing, because of a mistake.
This one, I really encourage you to go for it, Xbox Underground. If you search for it, it was really a thing, you know, and it was a combination of lots of different threat actors. But one small part of it was just an insider, you know, someone who had Microsoft badge and a family member could just simply get it, copy that, get into the building, steal one Xbox, which isn't released yet, put it in the backpack and just get out.
Possible, really possible. And this one, you know, this slippery slope is really a case, in many cases, in many situations. Someone in UK, it was an academy, and one admin who got, I don't know, fired or just resigned or whatever. This guy was unsatisfied with what happened. I have no idea was he right or wrong, but the termination process didn't work well. So the guy simply checked the computer, oh, I already have access to this academy and I'm not happy with them. Shall I make a little bit of damage in here?
Yes, it's possible. If the termination process, you know, your IAM process doesn't work well, joiners, leavers, movers, and you're not terminated, your access is still there and you're already admin while you're out, yes, you can do a lot. So he started with some damages, wiping some servers, and you know, it gets worse and worse and worse. Last thing he did, you know, you have already enrolled lots of devices, your phones, to the company via Intune or mobile device management. He just wiped all phones at the very last step.
So all phones enrolled just wiped, and many people lost their photos, you know, documents, whatever. Phones just wiped, you know, simply like that. Not just the hardware and the data, lots of training material lost as well. So these are different types of insiders that might happen.
Okay, but are we just blaming people, like, hey, that's people's problem, we have good policies, just people, people are having problem. It's easy, of course, to do that, but, you know, as you know, we're all human, after all. You heard the song. We're just human, you know.
Anxiety, stress, ambitious, excitement, all of these are affecting the way we think and the way we behave and the way we make decisions. And, you know, we can make crazy decisions if you are under such situation. There are already a lot to improve in our workplaces. There are already a lot to improve in our workplaces. This American Psychological Association, they made a survey this year, and it was like 77 percent of workers, they are reporting they're experiencing emotional challenges at workplace.
This diagram by Dotson, this is a famous one, it created a hundred years ago, almost more than a hundred years ago, and it's still valid. You know, it shows the matter of performance and arousal, and that's, let's say, psychological term of the brain is being alert, awake, and cautious. So the performance goes up if you're awake, but after a certain level, too much of, you know, pressure will bring down your performance, and it means for difficult tasks, your performance will be really low. In such situation, you don't remember why you made such decision.
So that's also a thing, that's why, you know, many people are victims of these scam calls. When you get stressed, your behavior will be so different.
Okay, but let me also tell you these, you know, these statistics as well. According to this APA, American Psychological Association, if you look at only the first one, this is emotional exhaustion, what they experienced, what they saw in their surveys, and this is really a lot.
Okay, what does it have to do with security? We all know this, but okay, what's the relation to us? Let me just give you a little bit of Viking thing.
This word, I'm not sure how many of you have heard the word lagom. It's, let's say, Swedish word, Viking word, it was called laget om. When Vikings were together, just imagine they wanted to have some drink, they had these big horns, and then some drink inside of it. They were telling each other, everyone drink enough so everyone can drink. It was called laget om, the rule of round, you know, so it can round this drink. Now it means just balanced, just enough, not too much, not too little, just enough. This is very famous one in Nordic countries.
So security needs to be just enough, just enough security is enough. If people are that stressed, that under pressure, and we make things too complicated, people will just bypass security, I'm just telling you, you know. If people cannot work the way they like with your workloads, with your laptops, with your phones, they do it at home, and they transfer it to your company. Many things happen, you know, when people don't have flexibility in the working environment. Let it be complex, but not over complicated. Sometimes it is complex, but it doesn't have to be over complicated.
That's what we saw, and that's really easy to say so, but, you know, implementing that is difficult. So, again, security policies doesn't save you.
You know, you can put as much as things you want in a security policy. When people cannot read that, when they don't understand it, what does it matter?
Yes, generative AI might help us in here, and people can ask questions, but anyhow, security policies, just putting something in the policy won't save you. As mentioned, legislations won't help you as well that much. You can be compliant, but still really vulnerable to any breach. And why people do that, really?
You know, it's not necessarily something for malicious activity, because of the speed. You can work easier at home than your workplace. Your home computer is far easier to work with, if you are searching on internet or you want to download a picture or whatever, than your workplace workload. That's simply it. And you can see that, this was by Gartner, that one third of people are just using unapproved USB devices. Just like that. If you haven't closed it in your, if you haven't banned it in your organization, you have seen it, I'm pretty sure.
And this one, you know, I've been working as security architect for years, and I'm telling you a secret. Each time I'm saying, we count on people awareness, it means I have no other control. I'm just begging people, please, don't do anything stupid.
And here, 72% of people who are bypassing security measures, they are already aware that it hikes risks, but they do it. Why? Because it is convenient. If you have a deadline, which one do you prefer? Do you prefer a deadline to be met, or the security to be satisfied? I don't think people prioritize security in here.
So, if you tell your manager, I've downloaded something on my home computer, worked on it, the whole weekend, and now I'm sending it to my workplace, will he or she tell you why? No, they will be happy, because you have done something. Productivity is something that really matters. And this MICE principle is something at the very end I'm going to tell you. It's just like why people do crazy stuff, or what makes people think an insider. M stands for money, simply. And it doesn't have to be a huge amount of money. Sometimes a very little amount of money could impact the way people do things.
And I stands for ideology, simply ideology. There is an idea, there is a reason some people do something crazy.
See, for coercion, if you are, or someone is under heavy pressure by a threat actor, they might do something you don't like. And I would say this is the most important thing here. Ego. If you have people who are not satisfied with the situation, you know, if you have people that are downgraded, if you have, you know, discrimination, these type of, you know, human aspects of your workplace, if they are so serious, and it's ego raised, you will see really strange things happening.
So, as I'm telling you, it is not just about buying tools. I know it is really exciting. Just go buy things, just go, you know, a new firewall, a new workplace, a new thing. But you know, you know, it's people spend the money they haven't earned to buy the things they don't need to impress people who don't like. That's what happens in our daily life. I'm also being so excited to buy things, going buy items. Be careful about maturity. If you're not mature enough, just buying tools won't help you.
And, you know, this is our slogan in Swedbank. We say security is everyone's business. It's not just about a security team taking care of everything. This culture takes time, you know, maybe years that people start believing in it, that it is everyone's business.
So, with that said, surprisingly, I'm finishing five minutes earlier. You know, I had planned that I'm not going to make it. There are too many slides. But thank you very much for listening.
