Dr. ir Johannes Drooghaag; CEO of Spearhead Management and founder of Internet Safety for Kids; recently sat down with us to talk about the real human element behind cyber attacks. His work helping educate children and parents about cybersecurity.
You might also enjoy our interview: A Career in Data Science: Unlocking The Power of Data with AI
How did your career in tech start? What do you do these days?
My career started in applied information technology and I my interest was first in the technical part of that. But I lost interest when I noticed that technology keeps rotating and innovating and reinventing itself so fast that it’s very difficult to keep up. And I started to get very interested in how can we build bridges; with the people using the technology and how they can they keep up with this enormous pace of technology.
That was more than 30 years ago and, since then, the pace has only increased. But we have not really done a lot to improve how we educate people with technology. So that became my mission. I focus mainly on the human element of technology, and I do that in the field of cybersecurity, of agile management, for digital transformation. We say it is all customer-focused, which in most cases is true. But, in many cases, we forget the people within the organisation who have to work with all that technology.
How do you advocate for this human-centred approach to technology?
I founded a company called Spearhead Management, in which we literally take, first of all, the people. We start with education and coaching, and we do that based on an approach that we could call a gap analysis. Where are we today? Where do we want to be tomorrow? And yes, there will be technology involved. But how can we enable and empower the people in the organisation to make that happen and to become part of that innovation and that digital transformation. And we do that through training. We do that through consulting, through coaching.
I also use my voice on social media. I started to actively use social media three years ago. I’ve been growing fortunately very fast in the last three years. I use that a lot to point out what the human element behind cyber attacks is. What has gone very well? What has gone not so well? And what has gone really, really bad?
And one of the things I do with my team is that, once a year, we publish a report called The Human Element in Cyber Security, and I do podcasts and keynotes around it under the title “The Human Elements in Cyber Security: And It’s Not What You Think.”
Why is it not what we think?
Because when we look at the IT community, there’s a lot of focus on the user error. So you might get the impression that the user is responsible for all cyber incidents. And when we look at the media, we get all the information about the bad fenders, about the vulnerabilities, about how somebody was hacked and everything went wrong.
But when we look at the technical information about these cyber breaches, we see that more than the human element caused 80% of them in the configuration and the management of technology, so the technical responsibility behind that technology. Now we should not take that and do the same thing by saying, the IT experts are to blame because that’s not fair nor correct.
A lot of that is leadership decisions. We know in a corporation nothing happens without approval and budget. So, the IT guy can sit there and say “I have to update those machines, I have to replace that software because it’s EOL”. But when that person doesn’t get approval and doesn’t get the budget. I assume they’re not going to pay that out of their own pocket, right?
So the human element is a lot more than just the actual making failures. The majority of that is leadership. The majority of that is completely failed risk management. If we don’t change the way we manage and lead, we will continue to have these issues.
Join our community and find your next job in IT
What would be a textbook example of leadership failure impacting cybersecurity?
There is this beautiful case of the colonial pipeline, a very high-profile case that was recently all over the media. It started with all kinds of theories about what would have been the case. And this theory immediately emerged that people were claiming that a user had opened an attachment. Other people claimed that there had been a case of social engineering through which all kinds of other theories popped up. Things popped up and they were all over the media and social media.
But then the actual experts analysed it. They found that a VPN account, which lacked basic security measures and was not in use for a very long time got compromised. Some one shared that compromised account, including the ID and password, on dark web forums. And used that account for the initial breach of the network and through that they were able to escalate.
Now there’s one thing that we have to keep in mind. There’s an FBI director who made a very interesting statement. There are two types of companies. The companies who have had their network breached by malicious actors. And the companies who do not know that their network has been breached by malicious actors. And that’s the reality that we have to assume at the moment. That we are compromised and that we must implement all potential and available countermeasures based on that assumption.
The colonial pipeline case shows us two things we should focus on. Firstly, abandoned technology. That VPN connection that we are not monitoring, not taking care of and that hasn’t been used for a long, long time: it is still open and available. Secondly, the almost mandatory segregation of network access and segmentation of the network itself to make sure that you cannot simply hop from one privilege to the next one. All that was not available. Your active monitoring, through which you keep an eye on what happens in your network. If, after five years, you suddenly see a VPN connection pop up, you should react to that. Never happened.
For me, that is a schoolbook example of knowing what should be done and not doing that. An example of having all kinds of interpretations that are not factual at the beginning of the incident and, as soon as the actual analysis is publicly known, is once again the basic step.
And that is what we see in the majority of our research as the real human element behind cyber attacks. When we follow the three basic elements of cybersecurity (patch management, access management, segmentation and segregation), we can prevent more than 90% of all cyber incidents.
You are the founder of Internet Safety for Kids. Can you tell us a bit about this initiative?
We create videos and content to enable parents and children to use the Internet in a secure and responsible manner. We do that with videos and cartoons. The kids love it. We get wonderful feedback, and the most interesting part is that parents write us to tell us that they’re learning from the videos, which they thought were intended for the kids, but we make them on purpose for the kids and the parents. It’s a beautiful project. I love it. It’s a lot of work, but it’s worth every hour that we invest in it.
What sort of cybersecurity advice do you provide in these videos?
Well, there was one episode for which the kids made the entire script from beginning to end.
They said “We have some wonderful advice: we need to inform our parents about what we do, and we should never hide what we do, and we should always explain why we want to do it. But can you please be so kind as to tell the parents that they should listen when we want to tell them something? And if we want to show them something, that they should actually take a couple of minutes?”
So we did this episode created by the kids alone and we didn’t allow the parents to criticise any of it, just focused on saying “Hey parents: yes, we can tell you what the kids should do, but you should have time for them when they want to do what we tell them to do.”
I love that so much. We had so much fun creating that. We encourage parents and kids to learn this together. It’s not that parents give these videos to the kids and say “well, be busy and learn this.” Sit down together, learn this together and use it as an input for discussions with each other. What we’ve learned with the kids is that they’re really actively involved, so they come back to the parents and they say, “hey, I watched this video and look, I’ve done this and it looks good.” And that’s the coolest thing.
Check out more of our interviews from our podcast episodes.
For more on the human element behind cyber attacks and IT in general, make sure to follow Dr. Drooghaag on Twitter, LinkedIn or through his website.