The cybersecurity market provides excellent solutions and services for combating threats that are exploited by cyber criminals. But are these tools enough to fully protect a company? It is clear that human error is a powerful attack vector for many popular cybercrimes. Because with the right training and education, frontline personnel can become one of the most effective allies in warding off an attack.
The human cyber risk
According to the latest Verizon Data Breach Investigations Report (DBIR), 85% of cyberattacks are due to human error. This can involve a wide variety of interactions, from clicking malicious links to sharing passwords or accidentally deleting files or data.
In a workplace, people often juggle many different things at the same time, trying to meet deadlines, responding to emails, and taking multiple calls. In such a high stress environment, it is easy to see how mistakes happen. All it takes is to lose your vigilance for a moment, and that is exactly what cybercriminals hope for. In addition, there are many activities that employees participate in without realizing that they increase the cyber risk for this company. These activities include sharing passwords or sharing information in an insecure manner.
One of the most common security factors that employees contribute to is improper password protection. A company may have all the security safeguards in the world, but a weak password can be exactly what a criminal needs to gain access to a corporate account or network. Cyber ââcriminals know that human error is a reliable attack technique, so weak passwords are usually the best way to go. In fact, DBIR 2020 showed that 80% of security breaches related to hacking involved stolen passwords and credentials.
People are also still very vulnerable to phishing attacks, which are becoming more sophisticated. Business E-Mail Compromise (BEC) is particularly effective at convincing employees to give out sensitive data or transfer funds. Business email compromise is often aimed at a senior executive and allows an attacker to send email from that account. Colleagues, partners, suppliers, and customers can all be contacted with fraudulent messages but are unlikely to think anything because they appear to be from a trusted source.
Phishing became particularly popular after heightened emotions were buzzing around during the pandemic, with one source reporting a 220% increase in attacks over that period.
The increase in home working during the pandemic has only exacerbated many human vulnerabilities. At home in a familiar environment, people can be even less vigilant and cyber-aware. There is no physical security professional to turn to for a second opinion when you receive a suspicious email or ask before you share a file.
Employees are likely to be much more carefree with the way they use their devices if there is a lack of transparency about them. Relaxed network usage also increases the security risk. Home networks are generally less secure than company networks. So if remote workers try to access accounts and data over their home WiFi, there is a greater chance that an attacker will exploit these vulnerabilities.
The merging of the boundaries between work and private life carries risks and increases the need for comprehensive safety guidelines that take into account special circumstances such as working from home.
Organizations that haven’t done so are beginning to realize that their own employees can be a real security breach. Of course, increasing cyber awareness will have little impact on malicious insider attacks, but more companies can and should do to engage employees and promote cybersecurity behaviors and attitudes.
Cultivate a culture of cybersecurity awareness
If human error is responsible for the majority of data breaches and cyberattacks, it makes sense to address and improve cyber vigilance of a company’s workforce to contain the threat. While many companies have cybersecurity programs in place, many still need to step up efforts to keep cyber awareness at the forefront of all employee activity.
Regardless of whether training is provided by an in-house IT team or an external company, it is recommended that around 11 cybersecurity sessions per year is the optimal number for employees. Supporting simulations or fake phishing e-mails can also be useful in between to track the effectiveness of the training.
Most employees will have heard the terms âphishingâ and âcyberattackâ, but without adequate education about the risks and what they mean for the company, there is little chance of engagement, loyalty and action. Because of this, it is important for leaders to understand the key areas where employee cyber vigilance is required and the implications for the overall security of the organization
Promote good security behavior
Making sure employees are vindicated when they use cybersecurity best practices in their daily lives goes a long way in promoting this behavior. Likewise, it is important to avoid being punished if an employee makes a cybersecurity mistake. Scare tactics are usually counterproductive in the long run and the possibility that an employee will not report future mistakes for fear of retaliation is too great a risk for your company.
Monitoring employees to some extent is an important part of ensuring a safe business environment, helps identify suspicious activity and inspires timely responses. When implementing a monitoring solution, however, it is important to be transparent with your employees so that they understand the methods and arguments and do not feel like micromanagement based on mistrust.
Early awareness training
The best time to hire employees is when they first join the company. By making cybersecurity an integral part of your onboarding process, you will get a clear message right from the start that your company takes cybersecurity seriously and values ââeveryone’s involvement in maintaining that security.
Cybersecurity policies can be a great way to make it clear to employees what is expected of them in relation to the company’s security practices. These can be introduced in the onboarding phase by requiring every new employee to read, adopt and adhere to these guidelines. Many recognized safety standards and regulations require the creation of such guidelines. The timing of implementation is up to each individual organization.
The benefits of a cyber-conscious workforce
In a management role, ensuring adequate and regular cybersecurity training for employees can do wonders for a company’s security. This not only reduces human cyber risk, but also empowers employees and shows them that they are an important part of corporate protection.
Employees feel more confident using technology when they know what to be careful of and how to deal with potential threats. This will likely reduce stress and improve productivity, resulting in an overall positive impact on the work environment. Nobody in a company wants to experience the consequences of a cyber incident, as this often serves to create an atmosphere of mistrust and fear. Taking a proactive approach to increasing cyber awareness will help avoid this.
Investing in the latest cyber threat defense software is only part of the cybersecurity puzzle. But while technical solutions definitely have their place, the inclusion of the most valuable resource – i.e. the people – is the best way to increase that security. Fortifying the front line is often the best method of defense.
About the author: Clive Madders is CTO and Chief Assessor at Cyber ââtec security. He works directly with companies going through the Cyber ââEssentials certification process. With over 25 years of experience in the cybersecurity industry, he has built an extensive repertoire that offers managed ICT support services, Cyber ââEssentials certifications and advanced security solutions to improve the cybersecurity maturity of companies across the UK.
Publisher’s Note: The opinions expressed in this guest authoring article are those of the contributor only and do not necessarily reflect those of Tripwire, Inc.