The Human Element in Cybersecurity (and why it matters!)

Despite what many would have you believe, cybersecurity is not just about technology, it’s also fundamentally about people. While advances in technology and automated security measures play a crucial role in fortifying cyber defences, the human element is inexorably an indispensable part of every effective cybersecurity strategy. We know that human error is a leading cause of cybersecurity breaches, which highlights the importance of making employees aware of the risks and providing adequate training to prepare them.

The Importance of Training and Awareness

The field of cybersecurity is a battle ground, with attackers and defenders locked in an interminable arms race for supremacy. New threats emerge, and new solutions arrive to combat them. While the technology component of the puzzle absolutely mustn’t be ignored (see my article on the cybersecurity solution that most organisations lack , in case you missed it), it’s just one side of the equation. We’re all fallible humans with our foibles and our curiosity, and these are traits that can’t be changed with a patch! It’s essential that organisations recognise this trait among their team members and take steps to mitigate it.

While it may sound somewhat trite and obvious to readers already knowledgeable in the matter, raising awareness of the very real risks involved with cybercrime is a vital step. For information workers, the possibility of receiving a malicious email containing fraudulent information and links should almost be viewed akin to the way electricians view live wires - an occupational hazard. However, you can’t be vigilantly on the lookout if you don’t know what you’re looking for!

Types of Cybersecurity Training

Organisations need to mature to the stage where cybersecurity conscientiousness and best practices become second nature and are built into the very fabric of the organisation’s DNA. This won’t be achieved through simply having an official company policy and mandating that employees read it; if this is the extent of an organisation’s efforts then it is simply a performative box-ticking exercise. Communication needs to be regular, consistent, and feature multiple touch points and means of delivering the message to engrain good habits. Here’s a few ways this can be achieved:

Workshops and seminars

These provide in-depth knowledge on specific cybersecurity topics and can be a great way to encourage employees to start becoming more conscious and aware of cybersecurity. These interactive sessions, led by cybersecurity experts, provide a personalised forum for team members to learn and ask questions. If an organisation lacks the expertise or resources to provide this internally, they should consider seeking the help of an external resource.

E-learning

E-learning modules offer flexible, on-demand training that employees can complete at their own pace. A series of online courses covering various aspects of cybersecurity, including quizzes and assessments, can be used to reinforce learning, and can be periodically integrated throughout the year at a suitable cadence to ensure that levels of awareness and understanding don’t fade. These can be a fantastic way to improve comprehension for employees that respond better to self-paced learning. The best e-learning solutions keep the training entertaining but short and to the point in order not to impact day-to-day productivity.

Security awareness tests

Organisations can implement solutions such as phishing awareness testing that allows them to create and send dummy phishing emails to employees throughout the year. This shouldn’t be used as a means of negative reinforcement, and people that fall victim to the trick shouldn’t be punished, but they do offer a great way to reinforce learning in a realistic, yet safe manner. For example, if a person clicks a link that they shouldn’t have, they can be directed to brief, appropriate, real-time training to help reinforce good habits. What’s more, over successive campaigns organisations can measure trends to help guide their security awareness training going forward.

The Role of Leadership in Creating a Security Culture

As alluded to earlier on in this article, the gold standard is creating an organisation where cybersecurity conscientiousness is baked into the underpinning culture. Organisations must strive to make small, incremental improvements until the thought of, for example, clicking on a ‘phishy’ email would never happen because “that’s not how we do things around here”.

As with any aspect of organisational culture, creating a security focus must start from the top. Leaders need to demonstrate a strong commitment to cybersecurity and help set the standard for everyone else to follow. While leaders “talking the talk” by regularly communicating the value of security can be valuable in its own right, they also need to be seen to “walk the walk” – attending training sessions themselves, ensuring there is sufficient time and resources allocated to security awareness and training, etc.

If you’re interested in exploring solutions to help bolster your organisation’s security awareness or if you would like to discuss your cyber security journey more broadly, leave a comment or drop me an email at [email protected] and I’ll be happy to help.