What Cybersecurity Can Learn from A Train Tragedy

On the morning of March 1st, 2023, my wife woke me with the saddest news – a terrible train collision had happened near my hometown of Larissa, and 32 people had died. The death toll increased to 57, and a veil of sorrow covered Greece. However, soon enough, sadness was joined by rage and anger.

The head-on collision happened because of a human mistake – the Larissa station master had forgotten to turn the key and direct the passenger train onto the correct line. Rage and anger emerged when we realized that the Greek railways operated without any safety precautions and systems.

In the era when you can track even a single parcel online and where you are being asked several times to confirm the download and installation of a game app, a whole piece of critical infrastructure and the lives of thousands of passengers were relying on the hands of a single employee (and on the hands of God…).

Like the ancient Greek tragedies, we were living at the climax of this disaster, and we sought our own catharsis…

Can we learn a lesson?

Trying to set my grief aside, I believe there are many useful lessons the cybersecurity industry can learn from this tragedy. We constantly say that the human element is the most vulnerable and the most important factor of cybersecurity. The Verizon Data Breach Investigations Report states that 82% of data breaches involve the human element, while human mistakes and errors are responsible for 13% of successful security incidents.

There are two reasons why we deploy and advocate for the establishment of preventive and responsive security mechanisms:

  • To prevent human errors from happening in the first place
  • And to reduce the impact of a human mistake, should that happen

We need to do our homework for these mechanisms to be truly effective and efficient. Nevertheless, security (and safety) relies on three pillars – people, technology, and processes. If one of these pillars is limping, the whole structure will collapse sooner or later. We need, therefore, to enhance and empower all three cyber pillars.

Know your environment

Our environment, the business environment, is constantly changing; new technologies emerge and disrupt businesses, new risks arise, and governments enact more and more security and privacy regulations. Do we understand the status quo of our environment?

Knowing and comprehending your environment is about understanding your strengths and weaknesses. Your strength is your adversary’s weakness. And your weaknesses are an opportunity for a cybercriminal to penetrate your systems and compromise your data. Even human lives can be in danger because of digital weaknesses in critical infrastructures.

Knowing your environment requires due diligence, governance, and comprehensive risk management. The following considerations should be a top priority:

  1. Do you know your regulatory and compliance setting?
  2. Have you got a regularly updated inventory of your systems, endpoints, and apps?
  3. Are you regularly conducting vulnerability scanning and penetration testing?
  4. Do you have the resources to meet compliance requirements and security best practices?
  5. If not, have you considered outsourcing to a trusted managed service provider?

The above high-level considerations are the foundations of good security and safety hygiene. Attackers are humans like you and me. They always look for the easier way in, and the lack of good hygiene is their biggest opportunity. Don’t let your organizational weaknesses become their strength.

Know (and empower) your people

Your people are the most valuable asset you have. Do you know them? Do you understand their perceptions, fears, hopes, and prospects? If we fail to understand what drives and breaks our people from engaging with security and safety, how can we expect they will live up to our expectations?

Although security and safety are about employing proper technologies and processes, they are about humans. Humans configure these tools, and humans operate them. And humans suffer the consequences of a breach or an incident.

Awareness training and empowering leadership are the foundations for building your organization’s security and safety culture. A culture that promotes asking questions and rewarding positive behavior and sets aside repeat offenders and blaming.

Learning theory and teaching technology have evolved over the past decades to include innovative approaches, such as adaptive micro-learning and gamification, and satisfy the distinct learning needs of all adults. Awareness raising can become so engaging and fun that it will empower and motivate your people to see security and safety not as a burden but as an enabler of productivity and innovation.

Final thoughts

This is an article written under an emotional strain. My kids have participated in two demonstrations demanding “Never Again.” Let us not fail them.

We have the technology and the practices to prevent disasters from happening. We don’t have to wait for the disaster to happen in order to act. While a data breach cannot be compared to death, reaction is worse than prevention. Act now.

In memoriam.

What Cybersecurity Can Learn from A Train Tragedy
Scroll to top