Whilst it certainly offers a somewhat biased, or one-sided take on the social media phenomenon, the film nevertheless raises a number of important concerns that are worth addressing.

As part of Eskenzi PR’s latest initiative, the Eskenzi Cyber Book & Film Club, cybersecurity and cyberpsychology experts were invited to take part in a Tweet Chat to discuss some of these very issues. Specifically, we were joined by Brian Higgins, Director at ARCO Cyber Security and Security Specialist at Comparitech; Anete Poriete, UX Researcher and Cyber Psychologist at CyberSmart; Madeline Howard, Director at Cyber Cheltenham (CyNam); and Neil Stinchcombe, co-founder of Eskenzi PR.

To read up on all of their insights, check out the Eskenzi Twitter or look under the hashtag #EskenziClubSD !

What is the biggest problem with social media?

In the same way the documentary began, the event kicked off with a rather broad question:

“What do you think is the biggest problem with social media today? Is there a problem?”

A general consensus suggested that a lack of regulation and ownership of responsibility has played a central role in the failings of social media.

Absolutely agree!! Facebook are launching Instagram for children and you can bet it’s not to safeguard them from online harms. What better way to know which Ads they’ll like when they finally get some independent spending power. pic.twitter.com/j7NMMfSc7g

— Brian Higgins (@brian_cyber) March 26, 2021

#EskenziClubSD A1: Social media gives us great freedom, but with great freedom comes great responsibility. The lack of regulation and communal irresponsibility are perhaps the biggest problems with it, although its effect on our collective cyber psychology is also important.

— CyberSmart (@CyberSmartUK) March 26, 2021

For Brian Higgins, part of the problem can be attributed to our ignorance. Indeed, if we are unaware that we are in the matrix, how can we then solve the issue, let alone recognise the problem in the first place?

A1. It’s definitely the Matrix problem and it’s generational. I was born in 1968 and remember life before tech. Younger people definitely can’t escape from the Matrix because they have no idea they’re in it! pic.twitter.com/bxv5XcK7Hs

— Brian Higgins (@brian_cyber) March 26, 2021

Social Media: Tool or Manipulation Instrument?

During the film, Tristan Harris, former design ethicist at Google and co-founder of Centre for Humane Technologies, suggested that we had “moved away from a tools based technology environment, to an addiction and manipulation used technology environment. Social media isn’t a tool waiting to be used. It has its own goals, and it has its own means of pursuing them by using your psychology against you.”

The argument suggests that algorithms and artificial intelligence are increasingly adept at understanding who we are, and are leveraging this knowledge to curate our reality as well as influence our thoughts and decisions.

A2 I think social is driving an agenda of addiction after all only two industries call their customers USERS, perhaps it did not start out as intentional, but if the platform is built on getting your attention to exert influence on you it is not surprising #EskenziClubSD pic.twitter.com/VnJgIevbnh

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

A2: In many ways social media is still a tool – to connect with individuals, do business, share thoughts, etc. BUT through algorithms which shape our individually tailored content and adverts our human psychology is being manipulated. #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

In addition to algorithms, however, is the platform offered to ‘influencers’.

#EskenziClubSD A2: Besides this, one of the key psychological features that cyberspace presents is the loss of authority and equalised status, therefore anyone can be seen as an influencer as long as they have the skill and means to communicate to their target audience.

— CyberSmart (@CyberSmartUK) March 26, 2021

Unfortunately, it seems our habit of consuming bite-size information has also made us conducive to being manipulated as both our attention spans and critical thinking are negatively impacted.

If we decrease our attention span and constantly occupy our brains with content that distracts and seduces us, then we lose the ability to question if something is true or relevant, do not feed your demons #EskenziClubSD pic.twitter.com/AeEEv0ONT2

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

#EskenziClubSD A3: People take less than a minute to view the majority of their on-screen content and it takes less than 30 seconds for people to switch across different content as that is more exciting.

— CyberSmart (@CyberSmartUK) March 26, 2021

A3: The endless streams of communication & connection are changing the way we think and absorb information.

Dopamine is stimulated by unpredictability, by small bits of information, and by reward cues. This is pretty much the exact conditions of social media. #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

Bite-size info has removed the ability to apply critical thinking to the things we read and see. Immediacy of information and expected response are the reasons why phenomena like Fake News have taken such a foothold. pic.twitter.com/5lZXeMkrZ8

— Brian Higgins (@brian_cyber) March 26, 2021

To Intervene or Not to Intervene

Recognising the imperfect nature of social media design then, we wondered if intervention by tech giants is required, particularly with regards to disinformation/misinformation.

A4: 100% intervention is required through fact checking teams / bots at the social media orgs. Newspapers are held accountable and penalised if they publish things that have negative repercussions…..social media platforms and users should be no different. #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

Social Media needs rules and accountability to protect the truth, rather than fake news with is more popular and spreads faster, it is no longer a case of you cannot handle the truth, it is hard to know what is the truth #EskenziClubSD https://t.co/Xp1awMeGei pic.twitter.com/E3Dmw3nAFL

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

 

It’s fairly obvious that SM companies have a very set agenda and aren’t willing to self-regulate. Mark Z was in the film saying that the best way to combat all of the problems caused by their AD-spewing algorithms is to write more algorithms.#EskenziClubSD#Definitionofmadness pic.twitter.com/xp7eJG0TMG

— Brian Higgins (@brian_cyber) March 26, 2021

#EskenziClubSD A4:Uses and gratifications theory explains that what technology was designed vs how people use technology can be very different. I think the design and policies should be adjusted to the actual usage of social media and support the common good for us as a society.

— CyberSmart (@CyberSmartUK) March 26, 2021

Yet, the issue of misinformation is not always clear cut. In fact, a recent study conducted by Facebook suggests that it is not necessarily false information that creates problems but content that doesn’t “outright break the rules”.

The study sought to understand the spread of ideas on social media and how it was having an impact on Covid-19 vaccine hesitancy. Despite banning false and misleading statements about the vaccine, many statements including expressions of concern or doubt, are often too ambiguous to be removed but have been found to play a harmful, contributing role to hesitancy. This is especially true when the message is promoted by influencers and are concentrated within like-minded communities, acting as an echo chamber.

Anete Poriete explains this further:

#EskenziClubSD A5: Likewise, we’re often more inclined to favour opinions and information that comes from sources we identify with – the so-called ‘echo chamber effect’. The best way to address this is with critical thinking and fact-checking before sharing the content further.

— CyberSmart (@CyberSmartUK) March 26, 2021

To address the issue, Madeline Howard believes proactive engagement is necessary.

A5: (continued!)….Work needs to be done proactively engage with these communities and direct more authoritative information towards them. #EskenziClubSD pic.twitter.com/Ot2xLqPQBD

— Madeline (@MadzzHoward) March 26, 2021

This then led us to question whether it is ever okay to amplify a message.

A6. Given the fact (if it is a fact!) that it’s apparently impossible to discern between messages of truth and those that are in some way false, then allowing algorithms to propagate the information to billions of tech-addicted internet sheep is probably not the best idea. pic.twitter.com/BdLyCqyshp

— Brian Higgins (@brian_cyber) March 26, 2021

A6: I don’t think it is OK to amplify messages regardless of who you are or the organisation. It’s created a deceitful online environment where individuals, organisations & governments are playing the algorithm game to gain the most traction, engagement and ultimately influence.. pic.twitter.com/39FeXREAI1

— Madeline (@MadzzHoward) March 26, 2021

A6 Not MONEY It will depend on who/what defines the rules of the algorithm, good AI will have its ethics set by society so if the process used to decide, is similar to society influencing who a self driving car crashes into it could be fine #EskenziClubSD https://t.co/kRDjdLNbTp pic.twitter.com/70zHqBc4jv

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

The Privacy Paradox

The news is full of concern about privacy, we all think of it as very important, but the way we act in reality is often contradictory. There appears to be cognitive dissonance in that we claim to value our privacy, and yet we continue to engage in services such as Facebook, that undermines it. Moreover, we often choose to overshare details of ourselves and our lives on such platforms.

#EskenziClubSD A7: Unfortunately, this doesn’t always lead to according behaviours – a so called privacy paradox. There are multiple reasons why people would not act accordingly, firstly, they lack knowledge of how to manage their privacy settings as they are complicated….

— CyberSmart (@CyberSmartUK) March 26, 2021

#EskenziClubSD A7: In social media, ‘close circle illusion’ plays a role as people see their information and data as only being shared with their friends and acquaintances.

— CyberSmart (@CyberSmartUK) March 26, 2021

A7. The answer to this is dehumanisation. Online activity allows us to post and troll and bully and sextort and groom all alone at home. Add even one other human presence and all of these behaviours would either be altered dramatically or not happen in the first place pic.twitter.com/Hee5zfMqOL

— Brian Higgins (@brian_cyber) March 26, 2021

A7 Does privacy even exist anymore? And do people still care about it? The more you have to lose the more you care about it, in a social media world there is a trade-off between privacy and fame #EskenziClubSD https://t.co/9zuzRJtfeD pic.twitter.com/lCQeSfZRr2

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

A7: Work needs to be done to raise awareness more effectively to the lay person. When the news is talking about privacy & the issues surrounding it, why aren’t they ending with ‘and here are some ways to ensure you’re living and working securely online’…. #EskenziClubSD pic.twitter.com/MdOOov9Ta0

— Madeline (@MadzzHoward) March 26, 2021

Interestingly, our offline behaviours also make us susceptible to cybercrime.

Q8: Cybercriminals are leveraging the very nature of social media – barrier-less connectivity.

Enabling them to connect, share and rapidly amplify their scams across social media to exploit our already heightening emotions when on the platforms. #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

A8. FUD.
Fear, Uncertainty and Doubt. Basically all of the things that the modern SM landscape has made impossible to avoid.
Hear all about when I joined the @TheBeerFarmers a while ago. Don’t watch it with your kids!!!https://t.co/iDqvogbL0C#EskenziClubSD

— Brian Higgins (@brian_cyber) March 26, 2021

A8 one of the biggest drivers for humans is being appreciated so that is one, greed is another, if something seems too good to be true then do not click that link #EskenziClubSD https://t.co/35dauSDseS pic.twitter.com/VwjGSolwNS

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

….which means that people are more open and judgement impaired online, much like being drunk. People can become more bold, confident and disclose a level of private and intimate information they would not necessarily disclose when offline. #EskenziClubSD

— CyberSmart (@CyberSmartUK) March 26, 2021

Recommendations and Solutions

To conclude the Tweet Chat, we asked the experts what they thought about the use of verified ID in helping to make us safer online and the concept of ethical-by-design.

In response to verified ID, the verdict was clear that it would encourage accountability. Nevertheless, as Anete points out, anonymity can also serve as a safety measure. As such, ID verification should be subject to choice. Neil added that the security of one’s identification should also be considered before ID verification is implemented on a wider scale.

A9: Yes. Individuals should be accountable for their comments and actions online. If you’re not prepared for your ID to be associated with an account…..why not…… #EskenziClubSD pic.twitter.com/M7I4uFdz5k

— Madeline (@MadzzHoward) March 26, 2021

A9. Absolutely it would. It would also severely restrict the user base of every SM platform and force them to be more accountable and less irresponsible. So I can’t see it happening any time soon.
EskenziClubSD pic.twitter.com/CttQA70FLz

— Brian Higgins (@brian_cyber) March 26, 2021

#EskenziClubSD A9: As cyberspace has introduced a lot of space for identity flexibility, complete anonymity in combination with disinhibition effects can help people to engage in more negative behaviours.

— CyberSmart (@CyberSmartUK) March 26, 2021

… cybercriminal groups.Therefore, I would agree that verification could make us safer online, but I believe these should be subject to choice. There are many instances where anonymity can be a safety measure. #EskenziClubSD

— CyberSmart (@CyberSmartUK) March 26, 2021

A9 Yes of course, as long as it is not used to identify where vulnerable people live or attack them, the process for identification needs to be secured and used ethically if you live in a totalitarian state you might have a different view #EskenziClubSD https://t.co/LYUwc0DmAu pic.twitter.com/uZ2rLjGZt8

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

In respect to the concept of ‘ethical-by-design’, it was agreed that ethics is ever-evolving and subjective; and should, therefore, be regularly evaluated. The key is in ensuring that technological design is working in the user’s best interest and operates with transparency.

A10: Platforms need to continue to evolve at pace to ensure they’re continually ethical in their design. Societal and industry trends, human behaviour, scientific research, political and economic issues all need to be considered and monitored so platforms can adapt #EskenziClubSD

— Madeline (@MadzzHoward) March 26, 2021

A10. Ethics are subjective, both socially and culturally. Since SM platforms are designed with a single, commercial purpose, ethics seem kind of defunct.#EskenziClubSD

— Brian Higgins (@brian_cyber) March 26, 2021

A10 Ethical by design is an interesting concept, the devil is in the detail and execution of course, who/what will decide what is and is not ethical, we have seen large groups in society develop polarised views and the center has almost disappeared #EskenziClubSD https://t.co/TiVPGEfJnH pic.twitter.com/2FnCM7z6kZ

— Neil Stinchcombe (@neilstinchcombe) March 26, 2021

#EskenziClubSD A10: Transparency is also an important element of ethical design. People need to fully understand what they are signing up for and this information should be easily accessible, digestible and understandable. Safety and security is the basis for ethical design.

— CyberSmart (@CyberSmartUK) March 26, 2021

A Concluding Note

While the Tweet Chat mainly focused on the negative consequences of social media, it is important to recognise that it has also brought us many benefits which cannot and should not be neglected. We just hoped this discussion provided you with some food for thought.

A10: The Social Dilemma was indeed an interesting watch but it was disappointing it didn’t share a balanced view.

Social media does bring benefits to our global society. It’s important to acknowledge the negatives & try to change them, but always remember the positives. pic.twitter.com/UZ7FdAIMEr

— Madeline (@MadzzHoward) March 26, 2021

The post Tweet Chat: The Social Dilemma appeared first on IT Security Guru.

Separating fact from fiction has never been harder, and with the popularity of social media misleading information is spreading like wildfire. It is swaying elections, distorting truth and putting people in harm’s way. So, what can be done to ensure there is balance between free speech and the accuracy of information shared? We asked a panel of experts to discuss this further in a live Tweet Chat as part of the wider Security Serious campaign Action Against Disinformation.

The panel:

• Neira Jones – Fraud, Cybersecurity and FinTech Consultant
• Madeline Howard – Socio-Technical Engagement Manager at Cygenta
• Tony Morbin – IT Security Guru Editor
• Eoin Keary – CEO/Founder at Edgescan
• Javvad Malik – Security Awareness Advocate at KnowBe4

Firstly, we asked the panel what Fake News meant to them and had they ever been duped. Seeing as these are professionals from a variety of roles within the cybersecurity industry, it was interesting to see their reactions with some even admitting to being duped:

A1: I believed Ozzy Osbourne bit the head off a live bat – it was dead (so that’s OK). I was responsible for a Fake News story as an April Fool joke, and had my editor ask for a photo of the person quoted, so it’s clearly possible to fool people. #cybersecurity #AADisinformation

— Tony Morbin (@tonymorbin) October 27, 2020

A1: I believed Ozzy Osbourne bit the head off a live bat – it was dead (so that’s OK). I was responsible for a Fake News story as an April Fool joke, and had my editor ask for a photo of the person quoted, so it’s clearly possible to fool people. #cybersecurity #AADisinformation

— Tony Morbin (@tonymorbin) October 27, 2020

A1. I think I get duped (even if it’s temporarily) more often than I’d care to admit. Many times it’s where an image or video is posted out of context or with a misleading caption causing a spike in outrage. Yes, despite knowing it – I still get suckered.#AADisinformation https://t.co/a3fupjusTO

— Javvad Malik v2.0 (@J4vv4D) October 27, 2020

Funnily enough, a hoax story regarding the re-formation of Highstreet retailer Woolworths was circulating in the news and on social media on the same day as the tweet chat which clearly shows the reality of fake news today:

A1: Well, for a second, this nearly got me… https://t.co/ZE12f8ctQ0#AADisinformation

— Neira Jones (@neirajones) October 27, 2020

But what role do algorithms, bots, and trolls play in the spread of fake news and disinformation? They are often considered the devious messengers designed to mislead the masses…

A2 Bots are one of the key components in spreading disinformation wide and far… they help get the lie across the world before the truth even gets its pants on! #AADisinformation https://t.co/ArQ8Fh1P7Q pic.twitter.com/lBdVY1QPBP

— Javvad Malik v2.0 (@J4vv4D) October 27, 2020

A2: A HUGE role! Bots are frequently set up to look like legitimate accounts. A great example of this was ‘NHS Susan’ whose profile used emotional cues to dupe people into believing the account was real and to provoke a reaction on social media.https://t.co/5wqexrYQbB

— Madeline (@MadzzHoward) October 27, 2020

A2: #AADisinformation They automate disinformation by pretending to be from a demographic who would naturally be against a movement but oppose the natural train of thought. (turkey voting for xmas).
This injects doubt in minds of folks. Bots automate this process at large scale.

— Eoin K (@EoinKeary) October 27, 2020

The media landscape has also changed, and we seem to have transcended into a culture whereby news has started to be driven by content designed to draw responses and interest

from the public which would encourage them to then click on the titles of the aforesaid pages. This has quickly introduced the click-bait culture which has certainly blurred what we now view as ‘news’.

A2: #AADisinformation They automate disinformation by pretending to be from a demographic who would naturally be against a movement but oppose the natural train of thought. (turkey voting for xmas).
This injects doubt in minds of folks. Bots automate this process at large scale.

— Eoin K (@EoinKeary) October 27, 2020

A3: Absolutely. The use of sensationalist language & over exaggerated claims to play on our emotions (e.g fear, panic & intrigue) and is a successful method to increase the spread of fake news. You could see it as social engineering on a mass scale…! #AADisinformation

— Madeline (@MadzzHoward) October 27, 2020

We have all read sensational headlines that piqued our interest & caused us to click to find out more – only to find what was in the headline was not in the story. Or that the story was totally unsubstantiated. We are living this now. #ITSecGuru #cybersecurity #AADisinformation

— Tony Morbin (@tonymorbin) October 27, 2020

When we think of fake news and disinformation some will assume it just affects the mainstream media but in truth it can impact any industry. So, has it crept into the cybersecurity sector and what lengths have our panellists gone too in stopping it?

A4: #AADisinformation Yes in particular in terms of cyber sales, capability description and marketing. #snakeoil
Attack attribution also can be fake and hard to prove otherwise, but we all love a story!! pic.twitter.com/yfWY0ko1Dy

— Eoin K (@EoinKeary) October 27, 2020

A4 I think fake news and disinformation unfortunately touch nearly every aspect of life directly or indirectly and cybersecurity is no exception.

From reputation damage to personal attacks to mixing in with social engineering attacks, been seeing more of this. https://t.co/5buMXoCeWT pic.twitter.com/F3ilkUPXMm

— Javvad Malik v2.0 (@J4vv4D) October 27, 2020

A4: Cyber criminals are using fake news as another method to spread their scams, this is making cyber security more challenging for individuals and organisations. It’s important that we start raising awareness of this now! #AADisinformation

— Madeline (@MadzzHoward) October 27, 2020

A5: Internally @CygentaHQ we share lots of articles & news stories with one another. We support one another by commenting if an article doesn’t report correctly. Helping each other to understand and spot fake news is important. #AADisinformation

— Madeline (@MadzzHoward) October 27, 2020

A5 Yes. Through user education, awareness, and training. Also this PSA on how to recognise disinformation @KnowBe4 https://t.co/4TnZo5wquv #AADisinformation https://t.co/Qtkdhu4eWl

— Javvad Malik v2.0 (@J4vv4D) October 27, 2020

A5: Externally, we are raising awareness about disinformation & fake news & I recently published a blog post which shares some top tips for spotting and protecting yourself again disinformation: https://t.co/iPyvkpWXX8. We’ll be sharing more resources this week. #AADisinformation

— Madeline (@MadzzHoward) October 27, 2020

A5: #AADisinformation I’ve called out “spoofers” and snake oil salesmen publicly but it’s a difficult to do so as it may seem to be emotive or have an alternate agenda.
With the (Irish/USA) Covid App, we did the cyber, and had to call out fake news also. Speak out be Brave!!

— Eoin K (@EoinKeary) October 27, 2020

Given the negative impact fake news has, should it be viewed as a cybersecurity threat? When you observe how it is used, it can damage the reputation of an individual, organisation or country while also having the ability to manipulate opinions – both of which can lead to wrongfully harming the entity in question either physically or financially. So, what role can the cybersecurity sector play as a whole in preventing its spread?

A6: #AADisinformation Yes I’d say so. Given Cybersecurity is primarily there to protect “The person”. It can motivate malice and divide people, cause civil unrest. I believe the best cyber war attacks will cause civil unrest which will have most impact. pic.twitter.com/XOsG7JLeao

— Eoin K (@EoinKeary) October 27, 2020

A6: Yes, Fake news distorts our understanding of the threat landscape. If we are misled as to who is attacking us or why, it changes our defence posture. Warfare always deploys deception. #AAdisinformation

— Tony Morbin (@tonymorbin) October 27, 2020

A6: We know that nation state threat groups will try to mislead where attacks are coming from so that attacks are attributed to other countries. This can have really serious consequences and shows the importance of attribution. #AADisinformation

— Madeline (@MadzzHoward) October 27, 2020

A7: #AADisinformation Call it out. Inform platform owners of accounts which are potential bots. Be brave!! We cant let the normalization of “Alternative facts” be ok!!

— Eoin K (@EoinKeary) October 27, 2020

A7 Raise awareness, educate people, and provide mechanisms to report disinformation, scams, and fraud.

Also invest in technologies that can help automate the process where possible. e.g. auto-adding watermarks.#AADisinformation https://t.co/lEaZDPKQuE

— Javvad Malik v2.0 (@J4vv4D) October 27, 2020

A7: Cyber security is not just about preventing leaks, but also ensuring availability and integrity of systems and data. Integrity means Ensuring our data is not tampered with and that we know where information it truly coming from allows us to contextualise. #AADisinformation

— Tony Morbin (@tonymorbin) October 27, 2020

A7: On one level, education and awareness, and technology can also play a role in terms of automation, filtering, reputation checks, etc.#AADisinformation https://t.co/oij9AavMzm

— Neira Jones (@neirajones) October 27, 2020

While it appears further education and raising awareness to the issue of fake news is important in thwarting it, what would be the best solution to better regulate what information and news is posted to the public?

A8: Social media platforms would continue to develop and expand their dedicated fact checking teams allowing users to flag misleading and false stories. Its been promising to see Twitter flagging news stories & encouraging people to check stories are legitimate. #AADisinformation

— Madeline (@MadzzHoward) October 27, 2020

We regulate hate speech and incitement to violence. If a newspaper cannot publish things that have bad consequences, without suffering a comeback, why should social media platforms – or their users? Education, Regulation & laws needed. #AADisinformation

— Tony Morbin (@tonymorbin) October 27, 2020

A8: #AADisinformation A factcheck Bot!! If we can have fakenews bots can we have Factcheck bots? Good Bots, Happy Bots, Fast Bots. Regulation should be True or False but not filter freedom of speech (important). https://t.co/jR2ur3Ivmb

— Eoin K (@EoinKeary) October 27, 2020

To close out the discussion, we wanted to find out how much fake news has impacted the notion of free speech. It’s a dilemma we currently face, and while we agree it’s a balancing act, it seems to be spiralling out of control as the demand for more information grows…but is it necessarily the right information that is getting published and how much is being construed as opinion?

A9: Yes, but that has always been the case, especially if an “opinion” comes from a trusted “brand”…#AADisinformation

— Neira Jones (@neirajones) October 27, 2020

A9: This is tricky. To me, Fake news is the misrepresentation of facts which is intended to deceive, whereas free speech is an expression of opinion. We need to focus less on drawing a line & more on empowering people to spot fake & malicious news #AADisinformation

— Madeline (@MadzzHoward) October 27, 2020

A9 this has been the case for a long time. I think it’s not so much opinions which are misconstrued, but the machine in the back which purposely pushes and promotes misinformation. #AADisinformation https://t.co/JjnXcJPYPl

— Javvad Malik v2.0 (@J4vv4D) October 27, 2020

Lastly, will we see a time where Free Speech exists without Fake News…most have an optimistic view:

A10: No. We have to treat is the same way as having to live with coronavirus, and use common sense and best practice so as not to endanger ourselves and others.#AADisinformation

— Neira Jones (@neirajones) October 27, 2020

A10: #AADisinformation Yes it can but it needs to be fact checked. Free speech does not prevent lies. News is based on fact, speech is opinion. Everyone is entitled to have an opinion true or fake (misinformed).

— Eoin K (@EoinKeary) October 27, 2020

A10: Yes – if we mean Fake News is deliberate misleading – though I will admit I don’t know how we achieve it. #AADisinformation

— Tony Morbin (@tonymorbin) October 27, 2020

A10: Free speech enables voices and opinions to be heard. But we need to draw the line at malicious & false news stories, rumours and outright lies that take advantage and exploit vulnerable people. #AADisinformation

— Madeline (@MadzzHoward) October 27, 2020

A10 yes. #optimist #AADisinformation https://t.co/cSLROciGie pic.twitter.com/bGrrIoBRid

— Javvad Malik v2.0 (@J4vv4D) October 27, 2020

A10: No. We have to treat is the same way as having to live with coronavirus, and use common sense and best practice so as not to endanger ourselves and others.#AADisinformation

— Neira Jones (@neirajones) October 27, 2020

While we deal with the global pandemic, it is clear that we are also fighting against the virtual disease that is fake news & disinformation. Thankfully there are those that are making a stand and the Action Against Disinformation campaign as part of Security Serious Week 2020 has brought the topic to the forefront to make more people aware. Education is key and source checking can go a long way to ensuring you are well informed. To view all the content related to Security Serious Week 2020, click here.

The post Fake news, disinformation and cybersecurity appeared first on IT Security Guru.

What is shadow code?

Q1: Have any of you heard the term #ShadowCode before? If yes, what do you understand it to mean?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Our influencers seemed broadly aware of the term of shadow code and displayed an understanding of the term. The next challenge for those hoping to defend against the issues brought about by shadow code will be to encourage the term to go mainstream within technology circles, in the same way that ‘Shadow IT’ has become a term omnipresent in technology, developer and security circles. 

Why should we care?

Q2: From a business and marketing perspective, why should companies be aware of the code that they host on their digital ecosystem? #ShadowCode

— IT Security Guru (@IT_SecGuru) September 16, 2020

Here, our influencers make the case for an understanding of shadow code across the business. Making the point that data breaches or compliance issues can lead to diminishing brand reputation, PerimeterX CMO Kim DeCarlis flew the flag for marketing professionals gaining an awareness of shadow code, and working with security and IT teams to ensure that code is reviewed and tools are implemented in order to protect the brand. 

Jamie O’Meara, who heads up global partner solutions at Snyk also made the point that a businesses website is the access portal by which customers are found, dealt with and hopefully, retained – as good a reason as any to understand and be aware of the potential issues caused by shadow code. 

The security implications

Q3: What are the consequences of not being aware of this from a security perspective? #ShadowCode

— IT Security Guru (@IT_SecGuru) September 16, 2020

Here we see a discussion of a much-forgotten element of the shadow code discussion: It does have some positives. Kim DeCarlis suggests that the agility that using Shadow Code can provide can be potentially helpful. 

However, from an infosec perspective, we still see the negatives outweigh the positives. Quentyn Taylor, who heads up information security for Canon in Europe, makes the connection between shadow code and supply chain security, suggesting it is perceived as this it might escape the more rigorous auditing other areas of the business might be subjected to. Ameet Naik of PerimeterX summed the concerns up succinctly too, stating that “You cannot secure what you cannot see.”

Shadow Code and job function

Q4: How is #ShadowCode impacting different job functions such as #CISOs, #infosec teams and #DevOps teams?

— IT Security Guru (@IT_SecGuru) September 16, 2020

The influencers here wax lyrical on the subject of how different job functions are affected by shadow code. As the resident CISO in the room, Quentyn Taylor suggested that the impact is more stringently felt on the DevOps side, and that Shadow code presents both an opportunity and a risk or CISOs. 

The RH-ISAC made the case for shadow code not always being as a result of malicious activity, stating something that a developer is simply on a deadline, and needs to finish the job fast, which in itself speaks to the skills gap in security and IT teams, and the far-reaching consequences. 

Shadow code in the real world

Q5: Can you provide any examples of when #ShadowCode has had a negative effect on a company in the past?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Bridging the gap between the infosec world and the real world, here we see our influencers discussing how this has impacted people in the real world! The infamous Magecart cybercrime syndicate was listed as a main example, with attacks aimed at Best Buy and Delta also referenced. 

Who needs to be the most concerned?

Q6: What are the implications for specific industries such as #ecommerce, travel and #elearning? #ShadowCode

— IT Security Guru (@IT_SecGuru) September 16, 2020

Question 6 asked who has the most at risk from shadow code. With more mature security postures found in financial and healthcare organisations, e-learning is identified as one area which has a less mature security posture, but a staggering amount of PII in their digital ecosystems. 

It’s worth hammering home the point however, as Kim DeCarlis did, that any business using shadow code to speed up their time to market is at risk. 

Moving forward: How to mitigate 

Q7: What is the best way for security teams to mitigate the effects of #ShadowCode?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Here, the advice was as you might expect: Review, understand and monitor. RH-ISAC, PerimeterX’s Ameet Naik, and security analyst and author Richard Steinnon all recommended surveying and monitoring, as well as having increased visibility as ways to mitigate the risks associated with shadow code. 

Are CSPs enough?

Q8: Some say content security policies (CSPs) are sufficient to address #ShadowCode. Is this accurate?

— IT Security Guru (@IT_SecGuru) September 16, 2020

In the most technical aspect of the chat, Quentyn, Richard and Ameet discussed content security policies, and whether they are enough to protect from shadow code, concluding fairly comprehensively that while a CSP is useful from an authorship and source perspective, it cannot tell what the code actually does: It is not a “set and forget” solution.

Shadow code and legislation

Q9: #ShadowCode has been responsible for many recent #Magecart attacks that incur GDPR and CCPA penalties. How much progress have we made towards achieving compliance with data privacy regulations?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Discussing whether the recent legislative trend towards protecting consumer data, as encapsulated by the CCPA and GDPR legislations passed will have any effect on shadow code, our influencers agreed that the legislation is far too new for us to have a true impact. They also highlighted how some of the world’s biggest brands – Marriott Hotels, British Airways – thought they were compliant, but were sorely mistaken. 

What will the future hold?

Q10: Where do you see the issue of #ShadowCode in 5-10 years?

— IT Security Guru (@IT_SecGuru) September 16, 2020

We saved the big question for last: What now? All of our influencers agreed that shadow code is not going anywhere, with carrying degrees of optimism: While Quentyn Taylor suggested that “This will be a issue that will get far worse before it gets better” due to the products that can’t be update, Richard Stiennon was more positive in his outlook, stating that signing code would be a great start. 

Jamie O’Meara argued the natural proclivity for change and development in Application development will mean we are likely to see far more shadow code over the next decade, and Kim DeCarlis agreed that the desire for speed and agility in web development means that shadow code is absolutely not going anywhere soon! 

To find out more about shadow code, and how your business can defend against it, please visit the resources on the PerimeterX website.

The post Tweet Chat: Exploring the hidden world of Shadow Code appeared first on IT Security Guru.

We wanted to find out what trends had been seen, how organisations should go about ensuring security is being kept as a priority, the impact Covid-19 will have and the importance of having a strong security culture during this time of uncertainty. To help us answer these questions, we were joined by KnowBe4’s security awareness evangelists. KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform so they are best placed to give the necessary insight into the phishing trends which was where we started the Tweet Chat…the evangelists were certainly happy and eager to get started…

Current mood #AskKB4 https://t.co/lQk3tRfxp7 pic.twitter.com/27dNcNccMT

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

Noticeable trends and surprise tactics used by Hackers

A1: Ransomware, Data breaches have held steady. With the recent ShinyHunter data leaks due to phishing attacks. Phishing will not go away until more organizations provide training and this attack vector is no longer successful for the cybercriminals #AskKB4 #phishing https://t.co/fQL4mL11jJ

— James (@James_McQuiggan) July 29, 2020

Nearly every trend has been linked to the 'rona. The impromptu "digital transformation", wfh, attacks against home workers and home infrastructure, lots of misinformation. #AskKB4 https://t.co/WA4w1HKhaa

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

A2: I thought the android ransomware being spread as a Canadian COVID tracing app was interesting. The Canadian govt said they were making one and scammers fired up pages that looked legit and took advantage. Clever #AskKB4 https://t.co/MGDS5vdYv0 pic.twitter.com/kvo8LbbkNs

— Madsqu1rrel (@ErichKron) July 29, 2020

A2 Not a particular scam.. but I do notice the bad guys becoming more bold and blatant in their approach. And they don't really need to be inventive (unfortunately). BEC type scams, for instance, have been around for ages and are still the same #askkb4 https://t.co/QIrREaNmBn

— JellySandwich (@JelleWieringa) July 29, 2020

Will we see a rise in DeepFakes?

We then moved onto the impact the pandemic will have given that face-to-face contact will be limited for the time being and how criminals will leverage this for their own nefarious means…

A3a: #Deepfake attacks are still developing and take too much time and effort to be used in a commodity types of attacks, only high-value targets. Frankly those are still easier to get without all the deepfakery right now #AskKB4 https://t.co/PDlmy1qXDh

— Madsqu1rrel (@ErichKron) July 29, 2020

A3b: To avoid being impacted, make sure your processes are set up and people trained to require an out-of-band confirmation, such as calling someone on a known good phone number, before transferring money or sensitive info #AskKB4 https://t.co/PDlmy1qXDh

— Madsqu1rrel (@ErichKron) July 29, 2020

A3 As for voice and text phishing. This is far easier to set up and execute. And since a lot of users still find it hard to determine whether something is a fraudulent text or voice message, there is plenty of opportunities for the bad guys to be successful with this. #askkb4 https://t.co/yCzfyrbDxU

— JellySandwich (@JelleWieringa) July 29, 2020

A3: With their “hacker toolboxes”, cybercriminals vary attack vectors to get folks to be convinced of the event – #SMSing or #Vishing to convince people of bank changes,account passwords and click the link, phone the number #AskKB4 https://t.co/frJ0FMHJ1x pic.twitter.com/RfCgdkkaDE

— James (@James_McQuiggan) July 29, 2020

Humans will continue to be important

We then transferred the discussion to the vital role the human workforce plays in keeping organisations safe, especially when facing out of the ordinary threats seen today. Technology will always have its place in cybersecurity, but the importance of the human factor cannot be underestimated. Yet, this also begs the question: how much should be spent on technology vs training?

A4: Humans have always been a huge part and this has only highlighted that as they work form home with fewer technical controls and tools at their disposal. It’s important to realize that it is not their fault, but they ARE the ones targeted so often and get beat up #AskKB4 https://t.co/lI38Yf1nii pic.twitter.com/oCPql9qPtO

— Madsqu1rrel (@ErichKron) July 29, 2020

70% -90% of malicious breaches are due to social engineering humans, so helping the humans make better security decisions is THE best defense you can implement. #AskKB4 https://t.co/2LJ6JAx9lz

— Roger A. Grimes (@rogeragrimes) July 29, 2020

While I believe investing in the human workforce is vital.

Equally so, it's important for organisations to understand where tech controls are effective and appropriate, where procedures are needed and where and when to invest in humans and the limitations of each. #AskKb4 https://t.co/MPMNe2QA8d

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

A6: The money needed for annual training is a drop in the bucket compared to the money spent on technology. The training budget is the first cut when it comes to budget cuts for organizations. Provide education & training for the employees vs the cost of a new blinky box #AskKB4 https://t.co/4RHkC0lGDJ pic.twitter.com/9lQbLz6qeY

— James (@James_McQuiggan) July 29, 2020

A6: That depends on where they are now and how much ground they need to make up in one area or another. It also depends on the types of attacks they experience. I suggest using the approach @rogeragrimes takes in his Data-Driven defense book #AskKB4 https://t.co/Kv7RzhqSuy

— Madsqu1rrel (@ErichKron) July 29, 2020

Digging deeper into the training aspect of security, many may overlook the significance security awareness plays in the overall protection of an enterprise. Is there a perception that security awareness training is not necessary?

Yes. It may surprise some people, but we still get a small % of people questioning it's value at all. And we say just look at the data…anyone's data. Good security awareness training significantly reduces risk of compromise and I don't care who's data you use. #AskKB4 https://t.co/mXl3m0Ohpq

— Roger A. Grimes (@rogeragrimes) July 29, 2020

A7 I think a lot of organizations do value it. But find it hard to execute properly. Therefore, they go for the (easier?) technology angle. Showing them (through data) of the need AND the value in security awareness is the way to go to convince them. #AskKB4 https://t.co/KFNRvwro2I

— JellySandwich (@JelleWieringa) July 29, 2020

It also created a discussion amongst the evangelists as can be seen in this thread:

The money needed for annual training is a drop in the bucket: Not always

The training budget is the first cut when it comes to budget cuts for organizations: Any evidence to support this?#AskKb4

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

Surviving the current waves of cyberattacks requires the implementation of strong security culture – this should be paramount, but who within an organisation should be leading the way for this approach and how can one measure if they actually have a solid security culture foundation?

A8: It has not only to be talked about by leadership, but demonstrated as well. From the C-suite to line managers, it is important that leadership publicly demonstrate a proper security culture. #AskKB4 https://t.co/tdEjYWocMM

— Madsqu1rrel (@ErichKron) July 29, 2020

In an emergency or new event, most people revert to what they have been trained to do. So, training, no matter how you do it, is important to do. You just need to make sure the training is well done and relevant, however you do it. #AskKB4 https://t.co/rOU3MSE8c5

— Roger A. Grimes (@rogeragrimes) July 29, 2020

Use such metrics as "how many incidents have occurred or been prevented", using a Phish Prone Percentage of the employees. Create different scorecards for different roles, C-Suite, Finance, Developers, R&D, Service etc. #AskKB4 #scorecards https://t.co/WsFOO7pPFT

— James (@James_McQuiggan) July 29, 2020

Lastly, we moved onto password security.

We continuously read about poor password practises, whether its password reuse or sharing it with another person. So, has the password become obsolete or is there a future for this common layer of security?

A10: Every organisation needs to provide their employees with a password management application, just like applications for spreadsheets, email and databases. Add it to their corporate policies and require the use of it. People can learn it, like email and browsers. #AskKB4 https://t.co/WsFOO7pPFT

— James (@James_McQuiggan) July 29, 2020

If you agree or disagree or wish to continue the discussion, feel free to reach out to the Guru or any of the KnowBe4 evangelists on twitter with your thoughts.

The post Tweet Chat Roundup with KnowBe4 appeared first on IT Security Guru.

Too much technology?

We began with a question that focussed on technology and the pivotal role it is playing within cyber today. It could be said that organisations have become too dependent on this component of security. But why? Well, the community certainly feel that technology offers an element of convenience that perhaps humans can’t provide.

A1. Yes, and mostly because people and process are hard, or seen to be. Harder than obtaining budget for and buying a shiny box of magic. The best fuse people, process and technology into an interconnected construct, because that is what it is throughout the business. #ITSecGuru https://t.co/T72OK5wr8K

— Ed Tucker (@Teddybreath) June 9, 2020

Well, this started off by going right for the jugular.

I do agree there is a large dependency on tech. Too often we look to solve people problems with tech. When a conversation would usually suffice. cc @LisaForteUK @drjessicabarker @infosecmo @Teddybreath https://t.co/anHQIgxVhb

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A1: Tech is inherent in security; so are people & processes. Latter two get overlooked because it can feel easier to focus on tech. Focus is often on superficial causes of breaches (eg the latest vuln) rather than root causes (eg insecure dev or poor system design). #ITSecGuru https://t.co/0FypiiHtiS

— Jess (@drjessicabarker) June 9, 2020

You are the weakest link, goodbye

Humans also have the added stigma of being referred to as the ‘weakest link’ within security, and so this reliance on technology may seem justified. Yet, by disregarding or not addressing this mindset, organisations are essentially missing the chance to solve a critical problem within the overall security of their organisation, especially as the human factor is essential for any business. Building education and awareness from within is key.

A2: It is an easy buck to pass and root cause analysis is hard for most organisations. Staff shouldn’t have to have the burden of being told “to be secure”. Carrying on with that rhetoric only builds distrust with staff. #ITSecGuru https://t.co/nbGeaUsXz0

— Mo Amin (@infosecmo) June 9, 2020

A lot of this has emerged from a position of arrogance. Security pros feeling like they’re better than everyone else and not looking inwards at where their own shortcomings may be. #ITSecGuru https://t.co/WdKhxlxQCj

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A2: Back in the helpdesk days, there was always the joke of ID10T errors-end users were criticized because they just didn’t know. We fail as cybersecurity professionals if we don’t educate everyone. Understand the basic cyber hygiene measures. #ITSecGuru

— James (@James_McQuiggan) June 9, 2020

What resources should be prioritised?

We then asked whether businesses are investing their resources in the wrong places to tackle security and if compliance was driving this? With global data security and privacy regulations severely punishing those found non-compliant, there is a strong possibility that many business decision-makers wrongfully believe that being compliant automatically means the business is secured.

Compliance can be box ticking. In some industries it is necessary but it doesn’t mean it is sufficient. Focus on the assets that need protection and have a plan for what happens it it all goes wrong and you are breached #itsecguru https://t.co/MADA2N2SGE

— Lisa Forte (@LisaForteUK) June 9, 2020

One error I see often is investing in tech first without understanding the threat landscape and business risk appetite (and priorities) first. Understand what the real issues are and what’s important, then invest resources that add the most value. #ITSecGuru https://t.co/wwk1ebvqd1

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A3: Lack of effective governance and risk management of both their investments and resources. Organizations need to strike a balance between conformance and performance.

— Jaded InfoSec Pro (@edwardmccabe) June 9, 2020

Businesses don’t appreciate the costs or complexity of security nor the risks. Security specialists don’t do a good job of communicating and reconciling this with senior management.

— Tim Morgan (@tjcmorgan) June 9, 2020

What is more detrimental – poor knowledge or poor security?

Next, it was time to find out what the security community viewed more dangerous for a business: a cyber unaware workforce or a security system that has been misconfigured. Well it depends…

A4: This is chicken and egg: a cyber unaware workforce is more likely to have misconfigured systems and not know about it! #ITSecGuru https://t.co/L3TKNMCSSB

— Jess (@drjessicabarker) June 9, 2020

I think both clearly pose risks but users that are unaware of the sensitivity of data, the threats posed by attackers and the common tactics employed leave you (and them personally) fat more vulnerable #itsecguru https://t.co/St5lKl92rv

— Lisa Forte (@LisaForteUK) June 9, 2020

A4 It depends on your environment and what the classification of the data is that’s held on the system. But generally your staff should have an overall understanding of the risks that your business faces and how they can help to keep it secure. #ITSecGuru https://t.co/vGlRXyYH9h

— Mo Amin (@infosecmo) June 9, 2020

A4. Ah…….it depends (FINALLY!)

They each represent parameters of risk. Weaknesses or vulnerabilities which might, or might not be exploited, or controls that might, or might not be effective. Neither is greater than the other without context. #ITSecGuru https://t.co/igJQkXZBF3

— Ed Tucker (@Teddybreath) June 9, 2020

CISO/Security Leaders take note

Where do CISO’s and security leaders go wrong when trying to obtain sufficient backing from the boardroom to enable them to build a security programme? it is clear they have an up-hill battle convincing management on how to invest when it comes to security.

A5: Use the right language, avoid technical jargon and focus on issues from the angle which resonates with your ‘audience’. Familiarise yourself with annual reports for your org, understand the business priorties and consider the wider organisational culture. #ITSecGuru https://t.co/HWKzGwQsUv

— Jess (@drjessicabarker) June 9, 2020

Q5. What are the common mistakes CISOs make when trying to obtain sufficient backing from the boardroom when trying to build a security programme? #ITSecGuru

— IT Security Guru (@IT_SecGuru) June 9, 2020

Invest is needed, but make it the right investment

But what happens if investments are made? We still continue to see data breaches and successful cyberattacks plague organisations of all sizes. So, why shouldn’t we lose hope? Where should CISOs and security leaders focus their efforts?

Step back and examine where your actual risk is. This will help invest time and money more wisely. I really like the approach @rogeragrimes takes to this in his book ” Data-Driven Computer Security Defense”

Many CISOs need to prioritize better and this will help #ITSecGuru https://t.co/qejuhcDlIg

— Madsqu1rrel (@ErichKron) June 9, 2020

This fight isn’t over!!! We need to invest in making the attackers work as hard for their money as we do for ours! We need a plan for if we are attacked and we need to test that plan. Where are the “life ruining” assets- focus on them. #itsecguru https://t.co/r4pTEP68U8

— Lisa Forte (@LisaForteUK) June 9, 2020

Focus on the basics. Incidents will happen. Be prepared.

— Tim Morgan (@tjcmorgan) June 9, 2020

A6. Breaches have always happened, but one of our biggest issues is that we continue to operate in theory, and often scaremongering theory at that. Evidence, facts, demonstrable impact (good and bad). #ITSecGuru https://t.co/Q6iljaal6p

— Ed Tucker (@Teddybreath) June 9, 2020

Building a security culture

For security professionals looking to establish a strong security culture or at least have a platform to build from, here is some advice from our panellists:

A7: I’ve run and helped run culture studies in the past e.g. survey+focus group. Though this only provides a one time baseline i.e. you’ll need to run annual ones. We need to move to a data led quantitative approach… https://t.co/iWakFQB5MG

— Mo Amin (@infosecmo) June 9, 2020

A7. Involve security as little as possible. Engage the people executing business processes. Promote and foster relationships, collaboration, understanding, empathy, talking, but more importantly listening. Let the business lead you. It is their culture not yours! #ITSecGuru https://t.co/6ZBtdXPZ1I

— Ed Tucker (@Teddybreath) June 9, 2020

Culture / behavioural change takes time. So don’t expect things to rapidly change. Measure the behaviours that mean the most to you – train – re-measure to see how that has changed. Tweak and retrain. Think of it like a marketing campaign not a security one. #ITsecGuru https://t.co/fgI8e6ONKw

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A7: Listen to your colleagues in the rest of the business, understand your wider company culture (don’t try to just bolt security culture on!) and recognise that within one organisation there will be many different sub-cultures. #ITSecGuru https://t.co/zopJq2M9gU

— Jess (@drjessicabarker) June 9, 2020

Identify high risk staff (people with access to the good stuff) Give them more in depth or face to face trainings. Get decent awareness training for all. Use phishing tests but look at developing skills not catching people out. Get staff to see the personal impact of cyber crime https://t.co/VC3MvTRMQe

— Lisa Forte (@LisaForteUK) June 9, 2020

To close the chat…

The previous questions generated a great discussion and provided insight around the difficulties, problems and issues security professionals are faced with when trying to tackle cybersecurity. But the last question nails home the significance and importance of having the human element in security.

Yes! Because humans always interact with technology. We all run on the same hardware. We are all subject to similar vulnerabilities and biases so in many ways with the right awareness and culture it is one of the easiest elements of security to fix. We know the weaknesses https://t.co/S4hleD59Ji

— Lisa Forte (@LisaForteUK) June 9, 2020

A8. Yes. There’s humans everywhere throughout the business and security itself. PEOPLE, process and technology. If you ignore the human factor, the whole human factor, you’ll fail miserably. Well, more miserably. #ITSecGuru https://t.co/26wh2PwLU7

— Ed Tucker (@Teddybreath) June 9, 2020

A8: In my up-coming book I cover the technology lifecycle and the fact that people are involved in every stage: design, creation, testing, use, abuse and destruction. So, yes, effective security always involves people! #ITSecGuru #ShamelessSelfPromotion inspired by @J4vv4D

— Jess (@drjessicabarker) June 9, 2020

A8: Fundamentally, we are trying to influence org culture. So in short, yes. Whilst we need to appreciate people, process and technology. We need to delve deeper into the people side of things… https://t.co/jz41P7hPL5

— Mo Amin (@infosecmo) June 9, 2020

Yes, because much like self-driving cars, as much as we’ve advanced technology, I wouldn’t trust it completely without the human factor. Plus involving people can bring about the Ikea effect… https://t.co/D4cfZNkpCp pic.twitter.com/GwvjB6N08c

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

And if you needed any more clarification as to why we shouldn’t solely depend on technology, I shall revert you to this reply…

As long as you have humans in your organization, absolutely.

Even Skynet had to deal with the human factor, just a bit differently #ITSecGuru pic.twitter.com/W3uqiIJWIU

— Madsqu1rrel (@ErichKron) June 9, 2020

If you were unable to make the Tweet Chat, no worries, simply follow the IT Security Guru or search the hashtag #ITSecGuru to see the Q&A.

The post Tweet Chat: The Human factor in Security appeared first on IT Security Guru.