How Likely Is Your Employee To Cause A Data Breach?

How Likely Is Your Employee To Cause A Data Breach?

“There are decades where nothing happens, and there are weeks where decades happen.” —?Vladimir Lenin

A big change or improvement … in the way that people do a particular activity” — that is how Cambridge Dictionary defines a revolution. What the pandemic has brought about is undoubtedly a revolution in the context of the “traditional” workplace. Subsequently, employees, their digital presence and the devices they use have become the new edge in information security and re-created the perimeter organizations have to protect. People are at the center of all cybersecurity conversations today, but are organizations prepared to adopt cybersecurity models with their employees at their center?

Recognizing that 85% of data breaches have a human aspect, according to the recently published Verizon Data Breach Investigations Report, organizations need to measure and understand the impact of employee risk on their overall risk posture and mitigate those risks proactively. Social engineering has cost businesses $4.47 million, according to IBM’s 2021 Cost of a Data Breach report. Another study states that 60% of employees who failed a cybersecurity quiz actually feel safe from cyber threats, and incredibly, 74% of respondents who answered every single question incorrectly also felt protected.

We must understand why trained employees perform only marginally better than untrained employees on simulated and actual cybersecurity tests. The scientific logic behind the near-failure of the current training models can be found in already published research:

? The Ebbinghaus forgetting curve shows that humans forget approximately 50% of all new information within an hour of learning it.

? The human brain can assimilate only six to nine data points at once before a severe drop in memory and attention.

? Researchers have discovered that it takes 18 to 254 days to form a habit.

Feedback Is The Breakfast Of Champions

Feedback is a compelling influence on learner achievement. This critical aspect is missing from most cybersecurity awareness training platforms. Unless employees are made acutely aware of the risk they pose to their organization (quantified in the form of a dollar impact), the feedback loop of learning remains incomplete.

Similarly, a decreased risk as a result of their efforts — cyber awareness courses attended, phishing simulations passed, remediation of exposed passwords, correctly configured devices, among others — will encourage employees to maintain high standards of cyber vigilance. For this to be possible, cybersecurity needs to be where the user is. Micro-learning via mobile devices increases knowledge retention further, as employees can engage at their own pace and convenience. Furthermore, cyber awareness platforms should be:

? Contextual - Cyber-awareness training pertains specifically to the business and its requirements. It must consider the geography, industry, revenue and the type of data managed by the organization while educating employees.

? Personalized - The content should be limited to security awareness training and include topics more relevant to employees and their everyday internet behavior, such as social media websites or digital payment applications.

? Dynamic and engaging - There should be micro-learning modules that are no more than two to five minutes long, with bite-sized, focused learning material regularly updated, based on the most recent threats.

How Risk Quantification Can Help

Despite investments in sophisticated security awareness platforms and well-run programs, CISOs continue to face challenges in proving impact and ROI to the board. Their main goal is to showcase a reduction in per-employee risk due to their investment in these platforms. It is time for person-breach likelihood, monitoring and management to become the primary goal, with security awareness training as just one arm of the platform. This will enable an employee’s cyber risk to be quantified, holistic and incorporate several other technical controls.

An overall per-employee risk management platform:

? Helps explain the urgency and allows for differential training of employees in different risk buckets.

? Facilitates decision-making. An organization can make a minimum risk score a prerequisite to access specific confidential and sensitive data and systems.

? Helps measure training effectiveness and influences training frequency.

? Allows risk scores to roll up to department levels and reveal the overall people-risk of the company. This type of gamification can help departments compete against each other to increase their scores.

In a 2017 article, Arun Vishwanath wrote,?“Ignoring the end-user is akin to putting better locks on a safe, while forgetting all the many people who have its keys.” He claimed that the most significant vulnerability in the whole ecosystem is the user, but it can also be its most powerful protector.

Risk quantification aligns employees and security teams by providing a shared understanding and metric of risk and its movement resulting from good/poor security behaviors. Why not cultivate employees to be your early warning system when it can have a great return on investment? The ball is in our court to go on the offensive. We must embrace the changes in workplace culture and reflect it with cybersecurity — by bringing people back to its epicenter.

This originally appeared in Forbes Technology Council on September 13, 2021: How Likely Is Your Employee To Cause A Data Breach?

Alexandra Jorissen

X-Google -Passionate about cybersecurity, building sales teams, GTM strategy, Course Facilitator @ #IamRemarkable | Business MBA, Empowering Women in Cyber!

3 年

Great stuff Saket Modi!

回复
Dr. Sudhanshu Dwivedi

Nanotechnology Consultant

3 年

Great Saket Modi. You have done great things and an achiever. #LNMIIT will be proud of its product. Congratulations ??

回复
Chirag Vaishnav ????

Helping You Grow | SDE @slice | Ex. ElectricPe | Gold Medalist in B.Tech | Ex. GDSC lead

3 年

????

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了