The cybersecurity market offers excellent solutions and services to combat the threats that are exploited by cybercriminals. However, are these tools enough to fully protect an organization? It is clear that human error is a strong attack vector for many popular cybercrimes, so the best way to augment any security program is to create a cyber-aware workforce. After all, with the correct training and education, the front-line staff can become one of the most effective allies in preventing an attack.
The Human Cyber Risk
According to the most recent Verizon Data Breach Investigations Report (DBIR), 85% of cyberattacks are the result of human error. This could involve a variety of interactions from clicking malicious links to sharing passwords or accidentally deleting files or data.
In a workplace, employees often juggle many different things at once, trying to meet deadlines, reply to emails, and take multiple phone calls. In this kind of high-stress environment, it’s easy to see how mistakes happen. All it takes is letting your guard down for one moment, which is exactly what cybercriminals are hoping for. What’s more, there are many activities that employees will participate in without even realizing they are increasing the cyber risk for that business. These activities include sharing passwords or sharing information in an unsecure way.
One of the most common security factors that employees contribute to is the improper protection of passwords. A business can have all the security defenses in the world, but one weak password can be just what a criminal needs in order to gain access to a corporate account or network. Cybercriminals know that human error is a reliable attack technique, so weak passwords are usually their best way in. In fact, the 2020 DBIR indicated that 80% of hacking related breaches involved stolen passwords and credentials.
People are also still highly susceptible to phishing attacks, which are growing in their sophistication. Business email compromise (BEC) is particularly effective at convincing employees to hand over sensitive data or transfer funds. Often targeting a senior level executive, business email compromise allows an attacker to send emails out from that account. Colleagues, partners, suppliers, and clients may be contacted with fraudulent messages but will likely think nothing of it, as it appears to come from a trustworthy source.
Phishing became especially popular while heightened emotions were flying about during the pandemic, with one source reporting a 220% rise in attacks during this period.
The increase in working from home during the pandemic only exacerbated many human vulnerabilities. When at home in a familiar environment, people can be even less vigilant and cyber aware. There’s no security professional physically there to whom you can turn to for a second opinion should you get a suspicious email or to ask before you share a file.
Employees are likely to be a lot more carefree with the way they use their devices when there’s a lack of visibility over them, and organizations have particularly struggled to manage remote workers’ use of mobile devices. Being relaxed about network usage further adds to the security risk. Home networks tend to be less secure than any corporate one, so when remote workers try to access accounts and data on their home Wi-Fi, there’s a greater chance of a bad actor exploiting these security gaps.
Merging the lines between professional and personal lives creates risk, raising a greater need for comprehensive security policies that include special circumstances such as work-from-home behaviors.
Businesses that have not already done so are starting to recognize the fact that their own employees can be a real security vulnerability. Of course, improving cyber awareness will have little effect in cases of deliberate insider attacks, but businesses can and should be doing more to engage employees and encourage cyber secure behaviors and attitudes.
Cultivating a Culture of Cybersecurity Awareness
If human error accounts for the majority of data breaches and cyberattacks, it makes sense that addressing and improving cyber vigilance among an organization’s workforce is the best way to mitigate the threat. While many companies have a cybersecurity program in place, many still need to improve their efforts to bring cyber awareness to the forefront of all staff activities.
Whether training is delivered by an in-house IT team or an external company, it has been suggested that around 11 cyber security sessions a year for employees is the optimal number. Supporting simulations or fake phishing emails can also be a good idea in between to track effectiveness of the training.
Most employees will have heard the terms “phishing” and “cyberattack,” but without proper education around the risks and why they actually matter for the organization, there is very little chance of engagement, retention, and action. That’s why it is important for those at a senior level to understand the key areas where employees’ cyber vigilance is needed and make the impact this has to the overall security of the business clear
Encourage Good Security Behaviors
Ensuring that employees are affirmed as they act on cybersecurity best practices in their everyday lives goes a long way towards encouraging these behaviors. Similarly, it is also important to avoid punishment should a member of staff make an error with regard to cybersecurity. Scare tactics are generally counterproductive in the long run, and the possibility of an employee not reporting future mistakes for fear of retribution is too great a risk for your company.
Monitoring employees to a certain extent is an important part of ensuring a secure business environment, helping to catch suspicious activity and to motivate timely responses. However, when implementing a monitoring solution, it’s important to be transparent with your workforce so that they understand the methods and reasoning rather than it feeling like a case of micromanagement founded on mistrust.
Bringing Awareness Training in Early
The best time to start engaging employees is when they first join the company. Making cybersecurity an integral part of your onboarding process presents the clear message right from the start that your business takes cybersecurity seriously and values the participation of all employees in maintaining that security.
Cybersecurity policies can be a good way of clearly communicating to employees what is expected of them when it comes to the organization’s security practices. These can be introduced at the onboarding stage by requiring each new employee to read, absorb, and comply with those policies. Many recognized security standards and regulations require the creation of such policies. Implementation timing is left to each individual organization.
The Benefits of a Cyber Aware Workforce
In a management role, ensuring that employees receive proper cybersecurity education that is both engaging and regular can do wonders for the security of an organization. Not only will this reduce the human cyber risk, but it will also empower the employees, showing them that they are an important part of protecting the business.
Employees will feel more confident using technology if they know what to be wary of and how to deal with potential threats. This is likely to reduce stress and improve productivity, by extension, resulting in an overall positive impact on a work environment. The aftermath of a cyber-incident is not something anyone at a company wants to experience, as it oftentimes serves to create an atmosphere of distrust and anxiety. A proactive approach to improving cyber awareness will help to avoid that.
Investing in the latest cyber threat defense software is only one piece of the cybersecurity puzzle. But,while technical solutions definitely have their place, engaging the most valuable resource—that is, the employees—is the best way to enhance that security. Fortifying the front-line is often the best method of defense.
About the Author: Clive Madders is CTO and Chief Assessor at Cyber Tec Security. He works directly with businesses going through the Cyber Essentials certification process. With over 25 years of experience in the cybersecurity industry, he has built up an extensive repertoire, delivering managed ICT support services, Cyber Essentials certifications, and advanced security solutions to help improve the cybersecurity maturity of businesses across the UK.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.