teissTalk: Securing the human perimeter

On 13 February 2025, teissTalk host Thom Langford was joined by Daniela Almeida Lourenco, Chief Information Security Officer, Dutch Financial Services; Rebecca Stephenson, Specialist Lead Lecturer, Highlands College; and Frederick Coulton, Director of UX, CultureAI.

 

Views on news

 

The propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises. Every time a user enters data into a prompt for ChatGPT or a similar tool, the information is ingested into the service’s LLM data set as source material used to train the next generation of the algorithm. The concern is that the information could be retrieved at a later date via savvy prompts, a vulnerability, or a hack, if proper data security isn’t in place for the service. The sensitive data that employees are sharing often falls into one of five categories: customer data, employee data, legal and finance, security, and sensitive code. With DeepSeek, which works with data in much less regulated environment, data protection becomes an even greater challenge. However, you don’t want to put your employees and organisation at a disadvantage to competitors by banning the use of GenAI. Moreover, benefits of AI in an age of skills shortages often outweigh security risks in the mind of business leaders. 

A paradigm shift?

Phishing simulations are an integral part of cyber security training, but they didn’t manage to eliminate phishing scams completely. Employees must bear in mind the saying that if an app is free, you are the product and think about the consequences. Often, employees bring apps to the organisation that they find useful at their job, which their colleagues start using too. By the time security risks posed by the app are revealed, it’s already too late. 

Even companies that regard their cyber security training as a success often get breached. Also, studies in neuroscience show that the established approach to cyber security training isn’t in fact conductive to learning, which implies that we’ve been perfecting a flawed method. A better approach would be to arm people with information, who, in turn, make that information part of their behaviours, this way elements that underlie employee behaviour could be targeted by training. 

People’s behaviour, how they are going about their lives and how this can be taken advantage of by criminals should form a part of security frameworks. To achieve this, organisations should map out all the threat vectors that humans are exposed to along the full life cycle of an attack. CultureAI’s human threat map includes all the stages of a cyber-attack from reconnaissance and initial access to credential access to discovery and impact.  The map was created by red testers who have used this map to attack teams. Among the multitude of threat vectors on this map, phishing is just a single item. CultureAI’s map will be out for organisations to look at the human-related vulnerabilities of their systems in a different way. 

Awareness training might have worked about ten years ago when the number of threat vectors was much more limited than now. However, today we also have many more tools to monitor employee behaviour, as well as what they have access to. Silos between applications and the employee behaviour displayed in them must be dismantled in order to make anomalies detectable – the same account can’t log in from the UK and then from France within 5 minutes. 

The panel’s advice

• Stop making security the responsibility of employees. Build a security bubble around them instead via automated interventions, so they won’t need to worry about it.
• Psychology and neuroscience should be applied to cyber security more extensively.
• Don’t ban tools but provide secure alternatives.