Why You Can’t Ignore The Human Side Of Cybersecurity

Cybersecurity leaders are in an interesting situation.?

The majority (74%) of CISOs know that human error is the most significant cyber vulnerability in their organizations. And cyber budgets are increasing as organizational leaders grapple with different threats.

Yet a lot of conversations—and cyber investments—revolve solely around infrastructure.

At first blush, this makes sense. After all, the most publicized cyber incidents, from healthcare to casinos, are about infrastructure breaches.?

But there’s more to it.

The story behind the story

If you look at root causes of many cyber attacks, they weren’t about infrastructure failing—they were about human vulnerability.?

For example, Canadian pharmacy chain London Drugs was the victim of ransomware attack; an employee likely clicked a link or downloaded a file that allowed hackers into the system.

Similarly, MGM Casino was the victim of a vishing (voice phishing) attack where hackers impersonated an employee and an IT worker gave them direct access to the company’s internal network.

Other major attacks include a CFO impersonation scam where an employee wired $25 million for a fake invoice.

No amount of infrastructural investment could have prevented these issues. They were, plain and simple, a human problem.?

As the saying goes, a stronger wall might protect your castle, but someone leaving a gate open puts even the strongest walls at risk.

What’s a CISO to do?

One common refrain is that the human side of cyber is incredibly complex. Not only do you have to handle training and cultural shifts, but you also have to manage the threat of internal bad actors.

This can lead to a feeling of hopelessness — and to a focus on infrastructure over humans. You may as well focus on what you can control, right??

Here’s the problem: You can’t ignore human vulnerability and expect to make progress on fixing cyber gaps.?

What’s more is the increasing frequency of attacks means human vulnerability will only be further exploited until it is properly protected.?

So instead of focusing solely on infrastructure, CEOs, CIOs, and CISOs need a three-pronged approach.

1. Find

Organizations need to monitor for risks that apply organization-wide and to individual employees.?

The key here is respecting privacy; individual employee information should never be shared and org-wide data should be aggregated.?

For example: Let’s say an employee’s email address was breached.?

The employee would see a personal report telling them which email address it was, what site it was leaked from, and what they can do to secure their online accounts.?

The organization-wide report would show how many employees are dealing with email breaches, password leaks, or other cyber risks. However, it would not share identifiable information. This gives organizations benchmark data for security-related communications and training without putting personal information further at risk.?

2. Fix

Once an issue is spotted, you have to fix it. This is logical to say, but it can be more complex in reality when you may not know how to fix the problem.

To bridge that complexity gap, companies need to think again about individual-level activities and organization-wide shifts.?

For example, what do you do when your email is breached??

• Step 1: Change your password or passphrase immediately
• Step 2: Add multi-factor authentication to the account in case someone tries to log in
• Step 3: Change your security or recovery questions
• Step 4: Change passwords or passphrases for your other email addresses and platforms as a precaution

At the organizational level, you may want to consider mandated multi-factor authentication or required password updates every few weeks to minimize the risk of a breach in the future.?

This type of insight and guidance needs to be readily available the second a risk, leak, or breach is detected.

3. Fuel

This step goes beyond the individual and into verifying infrastructural weaknesses that might create the opportunity for malicious actors to exploit human vulnerability.

For example:

• Practicing your response plans with activities like red team vs. blue team simulations
• Conducting ongoing penetration testing to find weaknesses in your infrastructure
• Continuous monitoring for potential vulnerabilities or otherwise undetected breaches

It’s not about avoiding infrastructure in favor of human security; it’s acknowledging they are two sides of the same coin and need nuanced attention.

Humans are at the core

For better or worse, your people are your biggest organizational cyber risk—but they are also your greatest potential ally.

The key to making measurable progress and filling cyber gaps is to offer tangible benefits to employees so they continually improve their cyber literacy and hygiene.

For example, it’s not about offering a bonus for completing a training (or punishing employees if they don’t), it’s about asking them to take action they directly benefit from, like helping if their email is breached.?

Organizaitonal protection is a benefit leaders accrue, not employees. If you really want to activate your people as an ally, they need to accrue real benefits for themselves.

This post originally appeared on the Connected & Newsletter by Protexxa

Subscribe now to get more insights directly in your inbox every two weeks.?

→ Don’t forget to follow Protexxa on LinkedIn

The Cyber Detail: News and resources

Headlines worth reading:

• 70% of organizational leaders say that a cyber skills shortage creates additional risks (HelpNet Security): In the same report, nearly all (90%) of leaders of organizations that have experienced a breach can attribute the incident at least partially to a skills gap.?

Resources, guides, and research:

• 2024 Cybersecurity Threat and Risk Management Report: The Ponemon Institute published its annual report showcasing data on the frequency of cybersecurity incidents and how cyber leaders are responding, including the statistic that 60% of leaders are increasing budgets in response to growing threats (June 2024).

• US Department of Treasury’s Guide To Managing AI-Specific Cyber Risks in Financial Services: This guide is an in-depth analysis of how AI-specific cyber attacks can impact the financial services sector specifically, and what organizations can do about it (March 2024).?

How organizations can keep employees safer

? AI is your partner — Malicious actors are using AI to help them; you can use it to help you, too. Ask your software vendors how they are bringing AI into their product to improve efficiency and safety

? Make it about employees — In all communications, explain how employees directly, personally benefit. Add the organizational needs at the end, not the beginning.

? Use carrots and sticks strategically — If your company culture uses rewards and punishments, target them to outcomes, like fastest time to secure your accounts, rather than inputs, like attending a training

ICYMI: Cyber headlines that still matter

The US Government is banning sales of Kaspersky Lab’s antivirus software (Axios): The sale ban for the Moscow-headquartered company’s software takes effect July 20th, 2024 and current users will stop receiving updates on September 29th, 2024.

French authorities are ramping up security for the Paris Olypics (Politico): Authorities are specifically worried about terrorist attacks, brute force cyber attacks, and misinformation campaigns.?

Former leader of the UK National Health Service said more cyber attacks could be on the way (BBC): The NHS previously suffered a significant breach in June 2024.

Subscribe to Connected & Protected to get more insights directly in your inbox every two weeks

→ Don’t forget to follow Protexxa on LinkedIn