The cybersecurity market offers excellent solutions and services to combat the threats exploited by cyber criminals. However, are these tools sufficient to fully protect an organization? It is clear that human error is a powerful attack vector for many popular cybercrimes, so the best way to increase any security program is to create a cyber-aware workforce. After all, with the right training and education, frontline personnel can become one of the most effective allies in preventing an attack.
Human cyber risk
According to the latest Verizon Data Breach Investigations Report (DBIR), 85% of cyber attacks are the result of human error. This can involve a variety of interactions ranging from clicking on malicious links to sharing passwords or accidentally deleting files or data.
In a workplace, employees often juggle many different things at once, trying to meet deadlines, answer emails, and take multiple phone calls. In this kind of very stressful environment, it’s easy to see how mistakes happen. All you need to do is let your guard down for a moment, and that’s exactly what cybercriminals hope for. In addition, there are many activities that employees will participate in without even realizing that they are increasing the cyber risk for this business. These activities include sharing passwords or sharing information in an insecure manner.
One of the most common security factors that employees contribute is inadequate password protection. A business can have all the security defenses in the world, but a weak password can be exactly what a criminal needs to gain access to a corporate account or network. Cyber ââcriminals know that human error is a reliable attack technique, so weak passwords are usually their best bet. In fact, DBIR 2020 reported that 80% of hacking violations involved stolen passwords and credentials.
People are also still very susceptible to phishing attacks, which are becoming more and more sophisticated. Compromised business email (BEC) is particularly effective in convincing employees to transmit sensitive data or transfer funds. Often targeting a senior executive, work email compromise allows an attacker to send email from that account. Colleagues, partners, suppliers, and customers may be contacted with scam messages but are unlikely to think about it, as they appear to be from a trusted source.
Phishing has become particularly popular as heightened emotions floated during the pandemic, with one source reporting a 220% increase in attacks during that time.
The increase in working from home during the pandemic has only exacerbated many human vulnerabilities. When at home in familiar surroundings, people can be even less alert and aware of cyberspace. There is no physical security professional to turn to for a second opinion if you receive a suspicious or ask-before-to-share email.
Employees are likely to be much more carefree with how they use their devices when there is a lack of visibility to them, and organizations particularly struggle to manage the use of mobile devices by remote workers. . Being relaxed about using the network further adds to the security risk. Home networks tend to be less secure than any corporate network. So, when remote workers attempt to access accounts and data on their home Wi-Fi network, there is a higher chance that a malicious actor will exploit these security holes.
Merging the boundaries between work and personal life creates risk, which increases the need for comprehensive safety policies that include special circumstances such as work-from-home behaviors.
Companies that have not yet done so are starting to recognize that their own employees can be a real security hole. Of course, improving cybersecurity awareness will have little effect in the event of deliberate insider attacks, but companies can and should do more to engage their employees and encourage cybersecure behaviors and attitudes.
Cultivate a culture of cybersecurity awareness
While human error is the root cause of the majority of data breaches and cyber attacks, it makes sense that addressing and improving cybervigilance among an organization’s staff is the best way to mitigate the threat. . While many companies have a cybersecurity program in place, many still need to step up their efforts to put cyber awareness at the forefront of all staff activities.
Whether the training is delivered by an internal IT team or an external company, it has been suggested that around 11 cybersecurity sessions per year for employees is the optimal number. Support for simulations or fake phishing emails can also be a good idea in between to track the effectiveness of the training.
Most employees have heard the terms âphishingâ and âcyber attackâ, but without proper training on the risks and their importance to the organization, there is very little chance of engagement, retention and action. . This is why it is important that senior managers understand the key areas where employee cyber vigilance is needed and clearly indicate the impact this has on the overall security of the company.
Encourage good safety behavior
Ensuring that employees are assertive when acting on cybersecurity best practices in their daily lives goes a long way in encouraging these behaviors. Likewise, it is also important to avoid sanctions if a staff member makes a cybersecurity mistake. Scare tactics are usually counterproductive in the long run, and the possibility that an employee will not report future errors for fear of retaliation is too great a risk to your business.
Monitoring employees to some extent is an important part of ensuring a secure business environment, helping to detect suspicious activity and motivating prompt responses. However, when setting up a monitoring solution, it is important to be transparent with your staff so that they understand the methods and reasoning rather than feeling like a case of mistrust-based micromanagement.
Provide awareness training early
The best time to start engaging employees is when they first join the company. Making cybersecurity an integral part of your onboarding process from the start presents a clear message that your organization takes cybersecurity seriously and values ââthe participation of all employees in maintaining that security.
Cyber ââsecurity policies can be a good way to clearly communicate to employees what is expected of them regarding the organization’s security practices. These can be introduced at the onboarding stage by asking each new employee to read, understand and comply with these policies. Many recognized security standards and regulations require the creation of such policies. The implementation schedule is left to each individual organization.
The Benefits of a Cybercrime Awareness Workforce
In a management role, ensuring that employees receive proper cybersecurity training, both engaging and regular, can do wonders for an organization’s security. Not only will this reduce human cyber risk, but it will also empower employees, showing them that they play an important role in protecting the business.
Employees will feel more comfortable with technology if they know what to look out for and how to deal with potential threats. This is likely to reduce stress and improve productivity, by extension, resulting in an overall positive impact on a work environment. The consequences of a cyber incident are not something that anyone in a business wants to experience, as they often serve to create an atmosphere of mistrust and anxiety. A proactive approach to improving cyber awareness will help prevent this.
Investing in the latest cyber threat defense software is just one piece of the cybersecurity puzzle. But, while technical solutions definitely have their place, engaging the most valuable resource – employees – is the best way to improve that security. Fortifying the front line is often the best method of defense.
About the Author: Clive Madders is CTO and Chief Evaluator at Technical cybersecurity. He works directly with companies going through the Cyber ââEssentials certification process. With over 25 years of experience in the cybersecurity industry, he has built up an extensive repository, providing managed ICT support services, Cyber ââEssentials certifications and advanced security solutions to help improve the mature cybersecurity businesses across the UK.
Editor’s Note: The views expressed in this guest author’s article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.