In my 2 decade career in cybersecurity, I have observed firsthand that while technology plays a significant role protecting organizations, the human element is equally crucial. It is often said that the most sophisticated security protocols can be undermined by a single click from an uninformed or careless employee. In this article, I aim to shed light on the often-overlooked ‘human factor’ and provide recommendations to help businesses bolster this weakest link in the cybersecurity chain.
The current threat landscape
The global cybersecurity landscape is complex and ever-changing, with new vulnerabilities and threats surfacing almost daily. We’ve come a long way in implementing Zero Trust Architectures, implementing advanced artificial intelligence (AI) algorithms, firewalls, intrusion detection systems, and more to safeguard our organizations. However, it’s startling to note that most security incidents are not solely the result of sophisticated hacking techniques, but are often aided by human error.
Human errors, like falling for phishing emails, weak password practices, or accidental data leakage, can make an organization’s fortified network vulnerable. These mistakes are not just limited to junior staff; even executives fall prey to such attacks. It’s evident that no one is immune, making human factors an urgent concern for every organization. For example, the recent MGM resorts breach was a result of simple social engineering. The threat actor tricked the help desk attendant into resetting a password without sufficient information.
The cost of negligence
Neglecting the human factor can result in considerable financial loss, damaged reputation, and loss of customer trust. Sometimes, the damage is irreversible. In the wake of an incident, organizations often realize they could have avoided the breach had they invested in adequate human-centric security measures.
Additionally, starting December 18, 2023, the SEC will require public companies to report material cyber incidents within four business days. This will bring greater transparency to investors and customers, and will also shine a spotlight on companies experiencing material breaches.
Strategies to Reduce Human-induced Risks
In a world saturated with cyber threats, focusing solely on technological solutions is akin to building a fortress but leaving the gate unguarded. In fact, Rupal Hollenbeck, President of Check Point, often says that cybersecurity is really about “people, process, and technology – in that order.” By elevating the awareness and understanding of the human factor in cybersecurity, organizations can build a more robust, comprehensive defense against cyber threats.
In my role as an Architect and Evangelist, I strongly advocate for the integration of human-centric strategies into your cybersecurity approach. Remember, the most effective security strategy is one that accounts for both machine and human vulnerabilities.
In my experience I have seen CISOs making certain changes to reduce this risk by doing following:
Phishing attacks
The art of deception is a hacker’s best tool. Employees often fall victim to emails or messages that appear genuine, but are designed to gather sensitive information or install malware. Most organizations keep their defense limited to corporate email and ignore the biggest threat vector around Mobile Threat Defense – protecting employees from falling prey to a texting or smishing attack via different chat applications or personal email running on the same mobile device. In fact, the average cost of a phishing breach is $4.76M. This clearly needs to be a focus for better protection.
Cyber training
Most organizations conduct a one-off phishing exercise to satisfy compliance needs and forget that cyber threats are continuously evolving. Employees must continuously update their defenses against these evolving threats.
A regular training on good cyber hygiene is very important for reducing the chances of a human error causing a breach. The good news is that there are many training options – from virtual escape rooms to phishing games to advanced cyber courses.
Credentials management
Security leaders across industries have the challenging task of ensuring that their organization’s digital assets are protected. One of the key aspects of this is password management. Here are some recommended best practices.
The non-technology changes or enhancements to reduce risk
Based on industry available data and surveys, CISOs and CEOs also take advantage of the following non-technology solutions to secure their organizations.
Implement a change control / management system: I can’t overstate the importance of implementing a multi-approval level change control system. In an era of complex cyber threats, the human element often becomes a vulnerability. A multi-tiered approval process allows us to add layers of scrutiny, involving varied roles from tech specialists to executives, effectively reducing single points of failure. This approach minimizes risks tied to human error and ensures alignment with our cybersecurity strategies. It serves as a vital checks-and-balances system, making our cyber-defense more resilient and adaptive to the evolving threat landscape.
Culture of Accountability
Vendor Risk Management
Legal Framework
Incident Response Plan: In the ever-evolving landscape of cybersecurity threats, it is no longer a question of if a security incident will happen, but when. This makes having both an effective Incident Response Plan (IRP) and an in-house Red Team indispensable for any organization serious about its cybersecurity posture.