Evidence suggests that cybercriminals can infiltrate 93% of all networks, even though organizations plow billions of dollars on cybersecurity each year. This is because most organizational approaches to cybersecurity are still overly centered around beefing up technological controls instead of focusing on the weakest link—human beings. Per Verizon’s 2022 Data Breach Investigation Report, stolen credentials, phishing, misuse and human error (anything done incorrectly or inadvertently, such as cloud misconfigurations) are the biggest root causes of cyberattacks and breaches. In fact, 82% of breaches can be linked back to the human element.
What Makes Humans Such an Attractive Target?
It’s simple. Technological controls mature with time, humans don’t. What’s more, 93% of human behavior is fairly predictable and threat actors can easily exploit our weaknesses (biases, distractions, carelessness, etc.) to bypass even the most sophisticated security controls.
Compromising security systems might require extensive skills, however compromising people just needs basic commonsense. The time has come for organizations to rethink their cybersecurity approach and invest in creating a human-layered cybersecurity defense instead of purely focusing on a technology-oriented one. New research by ThoughtLab highlights four main actions that can help develop a human-layered security defense:
1. Improve Cybersecurity Culture Through Regular Training
What employees know about security, how they perceive it, what they consider valuable and how they feel about it can have a huge impact on their everyday actions and this is where culture has a mega role to play. According to Ostermann’s research, security awareness is a key driver in building a security culture. By investing in regular training and security awareness initiatives, organizations can influence employee behaviors, attitudes, beliefs and customs which, in turn, can positively affect the overall security posture of the organization. A strong security culture helps the business become more compliant with laws and regulations, reducing the risk of compliance violations, fines and penalties.
2. Focus on Changing Behaviors, Not Just Knowledge
The word “security awareness” itself has an assumption baked into it that if we simply tell people about cybersecurity issues or threats, it will automatically translate into positive human behavior. It’s similar to that speed limit sign we whiz past. We have the intention, but we fail to take the action; we don’t abide by the signpost. This is sometimes referred to as the intention-behavior gap. For security awareness programs to succeed, organizations must be fully focused on behavior change. This means infusing security values and beliefs into the very fabric of the organization itself, to the point where they become ingrained in behavior. Employees live out these values in their daily routine and in their daily decisions and such norms can even be infectious to newcomers.
3. Communicate Risks in a Common Language
Security teams that purely communicate in techno-speak may not have mass appeal across the organization. Studies show that 56% of cybersecurity professionals lack soft skills—this can act as a deterrent to gaining leadership support for cybersecurity initiatives and even serve as a deal breaker in a culture change exercise. Security teams must ideally learn the art of speaking to the business and communicating risks in business terms. Security programs must also be communicated to employees via marketing/communications strategies such as scheduling workshops, creating videos and games, celebrating security awareness month and rewarding responsible human security behavior; all of which can actively contribute to culture change.
4. Develop Training For the Times
The threat landscape is evolving so rapidly and it’s critical for organizations to train employees on the latest trends and tactics used by attackers. Outdated training methods and obsolete training content can be ineffective. Training must both be current and engaging. Security teams must ideally use phishing simulation tools so that employees can “fail” in a safe environment, understand the consequences of their actions and even develop muscle memory. If one is conducting classroom-style training, try to keep it bite-sized and short; longer sessions tend to become dull and unengaging. Try to use a healthy mix of multimedia, table-top exercises and presentation content so that training is more effective. Departments and employees have different levels of security maturity that’s why training should be curated to their level of interest and security risk.
With cybersecurity talent in short supply and the attack surface expanding outwards, it’s impossible for security teams to cover all their bases. Organizations must therefore work towards making employees an extended arm of the security team. Getting the ABCs (awareness, behavior and culture) right is key here — the sooner organizations realize this, the faster will be their journey to human-layered security.