We talk a lot about the technical elements of cybersecurity – from software vulnerabilities to DDOS attacks, but the data is in. Humans are the weakest link to any security program.
Over 74% of all breaches include a human element, and over 30% of incidents and breaches are the result of human forces internal to the organization – either deliberate or accidental. What's more, social engineering attacks remain lucrative for cybercriminals, with Business Email Compromise (BEC) having doubled.*
External bad actors, mostly organized crime acting on financial motives, are handled through robust cybersecurity, including vulnerability management and patching, security incidents and event monitoring, and reliability programs which help restore services during an outage or ransomware. The technical controls are easy, but dealing with cybersecurity threats from within requires a different approach.
Understanding the Problem
According to the 2022 Gartner Drivers of Secure Behavior Survey, 74% of employees would violate cybersecurity policies to meet or to help team members meet business objectives. 67% use the same password for different accounts, 61% have sent sensitive information unencrypted via email, and 93% acknowledge that these actions increase risk to the enterprise.
Increased speed and convenience and experiencing no adverse consequences for their actions are the most common reasons employees engage in insecure behavior.
In short, employees will prioritize business needs over protecting the organization. They will believe that the business's needs outweigh its potential risk and are making a conscious decision to do so.
Therefore, security awareness has succeeded – however, security diligence which is the presumed outcome of security awareness, did not.
Three Practical Recommendations to Prevent Human Error in Your Businesses
Here are three actions you can take today and over the following months to help you minimize the potential for human error.
Consider the Human Experience When Designing Security Controls
Security programs should be as frictionless as possible, making it easy for security controls to fade into the background of day-to-day work. Controls that are complex or difficult to navigate will invariably be circumvented or ignored, which can expose organizations to unnecessary risk. Security teams should work with their business partners to understand the organization's day-to-day reality and how to best interweave the security controls to decrease disruption. This allows security to be an enabler of business rather than a disabler.
Leveraging techniques, such as nudging techniques that use positive reinforcement to direct behavior and make the desired behavior the path of least resistance, is helpful here. So is using organizational change management.
Make it Easy for People to Admit When They've Screwed Up
This recommendation is good for organizations even beyond the security context because it creates a culture where people, including leaders, can admit when they've made a misstep, but in the security context, it pays literal dividends.
In the case of BECs, these often result in a loss of funds for an organization, either through the purchase of gift cards or the transfer of funds. It is not always possible to recoup the funds lost in a BEC, but to have any opportunity to do so, speed is of the essence. Therefore an individual's willingness to speak up when they realize they have made a mistake is paramount.
This recommendation also supports people who may make quick decisions in favor of business objectives and then begin to feel the cold breeze of dread in the aftermath. Of course, we want people to always act in a secure manner – but when they haven't, we want them to admit it before the organization feels the ramifications.
Use Artificial Intelligence & Data Analytics to Monitor Behavior
Artificial intelligence can be used to monitor behavior for deviation from baseline and alert security teams as necessary. Data analytics can help identify causal links between behavior and incidents and identify trends and event correlations, which can help inform security teams and enable better decision-making as to what works, what doesn't, and where organizations are most exposed. This can allow tuning of a Security by Design Culture to focus where the organization's security controls are least adhered to, to either redesign the controls or increase the training and focus upon them.
In Conclusion
Human behavior most influences an organization's cybersecurity posture. By leading with human-focused solutions when designing controls, creating a culture that allows individuals to speak up when they realize they have bypassed the controls, and using artificial intelligence and data analytics to identify deviation from baseline and links between behavior and incidents, organizations can begin to improve their stance, decreasing breaches and incidents and increasing employee engagement in the cybersecurity program.
Melissa is a seasoned strategist with deep expertise in integrating risk management and security operations solutions into successful digital transformation initiatives. Follow her on LinkedIn.