This is because many organizational approaches to cybersecurity heavily focus on strengthening technology controls instead of looking at the weakest link, human beings.
As per Verizon’s 2022 Data Breach Investigations Report, theft of credentials, phishing misuse, and human error (anything that is done in error or accidentally, like cloud configurations that are not correctly configured) are the primary sources of cyberattacks and data breaches. Eighty-two percent of breaches can be traced back to the human factor.
What Makes Humans Target?
It’s simple. The technology controls are evolving as time passes, but humans aren’t.
Furthermore, most humans’ behavior is predictable, and threats can take advantage of our weaknesses (biases and distractions, carelessness, etc.) to bypass the most advanced security safeguards.
To compromise security systems, you’ll need extensive knowledge. But, to compromise people requires simple common sense.
It is time for companies to reconsider their approach to cybersecurity and put money into a human-layered environment instead of just focusing on a technology-based one.
The latest research from ThoughtLab exposes four significant actions that could help build an effective security strategy that is human-layered:
Create a Human Layered Cybersecurity Defense
#1. Improve Cybersecurity Culture Through Regular Training
What employees are aware of about security, the way they view protection, the things they think are essential, and how they feel about it will affect their actions in the workplace, which is why the role of culture comes to play.
According to Ostermann’s research, security awareness is the primary factor in establishing a security culture.
Through regular education and security awareness activities, companies can influence employees’ behavior and attitudes, as well as beliefs and habits that will positively affect an organization’s overall security position.
A solid security culture can help businesses to comply with regulations and laws and reduces the chance of fines, compliance violations, and penalties.
#2. Focus on Changing Behaviors, Not Just Knowledge
The phrase “security awareness” assumes that it will translate into positive human behavior when we inform people of security threats or cybersecurity concerns.
Similar to the speed limit sign that we drive through. We’re in the right place, but don’t take action and don’t follow the signs. It is often referred to as the intention-based behavior gap.
For security awareness programs to succeed, companies must concentrate exclusively on changing behaviors.
This involves integrating security values and principles into the structure of the company until they are embedded in the way they conduct business. Employees embody these values throughout their daily lives, and their daily actions and standards can become infective to newcomers.
#3. Communicate Risks in a Common Language
Security teams that only communicate using technology may not be popular with the company.
Studies have shown that nearly half of all cybersecurity experts are not skilled in soft skills. This could be a barrier to senior management’s support for cybersecurity initiatives.
It could also be a deciding factor during a change in culture exercise. Security teams must master the art of communicating with business leaders and explaining risks in terms of business.
Security programs must also be transmitted to workers via transaction/communications systems such as scheduling workshops, creating videos and games, celebrating security awareness month, and rewarding responsible human security behavior, all of which can contribute to civilization transformation.
#4. Develop Training For the Times
Threat landscapes are changing rapidly, and companies must inform employees of the latest techniques and trends employed by hackers.
Training methods that are outdated and ineffective training materials can be detrimental to your business. Training should be up-to-date and enjoyable.
Security teams should ideally employ tools for phishing simulation, so employees can “fail” in a safe environment, understand the consequences of their actions and create muscle memory.
If you are conducting training in the classroom, try to keep the sessions bite-sized and short. Longer sessions are likely to be uninteresting.
It is best to employ a healthy mixture of tabletop exercises and other presentation information to improve the effectiveness of your training.
Employees and departments have various levels of maturity in security. Their activities must be targeted to their needs and risk level.
Security teams won’t be able to cover all their bases due to cybersecurity experts being in short supply, nor is the attack surface expanding.
Companies must work towards having employees become an extended arm that is part of the security group.
They are making sure that the ABCs (awareness behavior, the culture) right is vital. The earlier organizations recognize this, the quicker their progress towards secure human layers will go.