Ask a security expert what an organization’s biggest risk or threat is, they answer is almost always “the human factor.” While that could include anybody with access to your network or data, it really means your employees. As someone recently said to me, you can control automations and machines, but you can’t control human behavior.
However, I was surprised when I saw the results of MediaPRO’s third-annual “State of Privacy and Security Awareness Report.” It found that 3 out of 4 employees pose a risk to their organization, failing some pretty basic security awareness practices such as knowing what constitutes PII, recognizing phishing scams or not reporting potential security incidents. Also, despite the high-profile security incidents over the past year or two, the report found that employees are getting worse, not better, at recognizing threats.
“While we think people should get better at this stuff with time, the truth is that the pace of our electronic communication and our engagement with information just goes up year after year after year, and we as a culture struggle to keep up,” Tom Pendergast, chief learning officer at MediaPRO, told me in an email comment. “The pace at which we’re improving our cybersecurity acumen just can’t keep pace with the torrent of data that we’re buried in—and our performance suffers as a result.”
American Companies Focus on Security Training
As part of its “Future in Tech” report which looked at, in part, the differences between American and European tech and security adoption, SpiceWorks discovered that U.S. companies turn to end user training as its top cybersecurity tool. This is especially true in smaller companies, whereas larger enterprises will use more of a mix of automation and security awareness training.
Clearly, relying on security awareness training isn’t as successful as it should be. Or perhaps the problem lies with where the security training is focused. The MediaPRO study revealed that the riskiest behaviors are coming from employees in management positions. This is despite the fact the higher up the management chain, the more likely the employee is to be targeted for cyberattacks.
Financial Industry is Failing
Perhaps the most stunning result of this study was finding out employees in the finance sector fared worst of the seven industry sectors analyzed. A whopping 85 percent of finance workers showed some lack of cybersecurity and data privacy knowledge. Usually, the financial industry is considered leaders in cybersecurity, but here again, it is likely the difference between automation and human behaviors. The financial industry has put hardware and software tools in place to protect business and consumer assets, but is it falling behind in security awareness training because it depends too much on automation alone?
Whatever the financial sector—and other industries—is doing, it is benefiting cybercriminals. They know humans are the weakest link and target them with phishing emails and other tactics to intercept passwords and credentials and then sneak into the company network, noted Robert Capps, vice president and authentication strategist for NuData Security, via email. The inability to identify phishing email was another key point from the survey.
“Phishing is not going to end, and companies need to train their employees on how to avoid these scams,” he wrote, suggesting companies consider adding passive biometrics and behavioral analytics to security systems as a way to work with human behaviors to address potential threats.
I have some sympathy for employees. Cybercriminals are relentless and much more sophisticated in their attacks than we are at recognizing them. And it seems as though we are overloaded with news about data breaches.
“We live in an age where stories about cybersecurity are constantly swirling, which can actually create a sense of security fatigue,” Pendergast said. But he admitted that these levels of riskiness are alarming, and it only takes one person to click on the wrong email that lets in the malware that exfiltrates your company’s data.
“Without everybody being more vigilant,” he added, “people and company data will continue to be at risk.”