Improve cyberresiliency by focusing on people. For a safer digital world, cybersecurity plans should put education, training, and user knowledge at the top of their list of priorities.
The most effective defense against cyberattacks isn’t technology-based cybersecurity solutions but the enhancement of the human factor. Perry Carpenter, a cybersecurity veteran and chief evangelist-security officer at KnowBe4.
Verizon’s Business 2022 Data Breach Investigations Report found that human factors are the primary cause of security breaches, accounting for 82 percent of all attacks.
Attacks are getting more violent, with ransomware soaring 13% over a year, which is higher than the previous five years.
“As we continue to speed up our progress towards an increasingly digital world, efficient technological solutions, robust security frameworks, and an increased emphasis on education are all playing a role in making sure that businesses are safe and their customers are protected,” Hans Vestberg, CEO and Chairman of Verizon, stated.
Improve The Human Aspect of Cybersecurity
Learn how to deal with people when it comes to cybersecurity. The best way to build a strong defense against cyber threats is to be proactive and use education, knowledge, and involvement.
Read: What is a Cybersecurity Maturity Model?
Verizon’s report reveals the human price influences can have on a company. “People continue to be the weakest link in an organization’s cyber security,” the company says.
KnowBe4 Security Awareness Education and Simulation Phishing Service recently launched a resource kit that is designed to assist IT as well as Infosec professionals in enhancing their human security.
The company said IT professionals face challenges in creating an awareness-based security program.
Carpenter, who was in contact with TechRepublic and TechRepublic, shared his security lessons learned over the past years. Carpenter warns that even though increasing cybersecurity numbers are very alarming, companies must look past them.
“Unfortunately, knowing about cybersecurity risks is just one aspect of the problem. Being proactive about them and, most importantly, taking action to stop them is what you should spend your time on,” Carpenter said. He explained that even those engaged in security awareness efforts suffer from a fatal flaw: the knowledge-intention-behavior gap.
The knowledge-intention-behaviour gap
“Just that the team members in your organization have been aware of it doesn’t mean that they will be aware of it,” Carpenter said.
The fact that breaches continue to occur despite investments made by businesses in creating crucial security awareness programs for all employees explains the gap in knowledge-intention behavior.
Based on Carpenter, workers may be aware of the dangers and risks they face, how they operate, and the risks they have to avoid, but they aren’t taking the steps necessary to ensure their company’s safety.
To reverse this trend, businesses must fill in the gap between their knowledge and intentions to teach correct behavior among their employees.
This requires a highly technical strategy, and the cybersecurity industry has difficulty working in harmony with human instincts.
Human nature in the human race
Effective cybersecurity systems can work with human nature since cybercriminal companies have become skilled at manipulating it.
If their staff members are educated and aware, they may be able to ask why they are susceptible to fraud and phishing scams.
The answer, as Carpenter says, has nothing to do with how intelligent employees are. The most effective strategies to hack into a system are not sophisticated software but how they manipulate the human mind. The attackers use natural curiosity, impulsiveness, the desire to be a part of something, and compassion.
Another option is the traditional marketing strategy of providing items for free. Campaigns that use clickbait for bulk advertising are highly effective, and cybercriminals can be gateways to downloading ransomware and malware.
They may offer money, investment opportunities, or even an unbeatable car wash, realizing that it’s difficult for people to resist an appealing deal.
Another trend that is gaining momentum is manipulating the human psyche. Criminals will do anything and exploit humanitarian crises and natural disasters to create social engineering-based attacks.
In 2020, the FBI warned of the emergence of scams involving COVID-19. Then, in May 2022, the FBI’s Internet Crime Complaint Center (IC3) warned that scammers were pretending to be Ukrainian organizations requesting donations.
Cybercriminals can also design highly targeted attacks using the information of employees they acquire through social media sites and websites. In addition, when they know that employers respond to an HR manager, manager, or CEO of a company, they use that relationship to pretend to be people in authority within the company.
“They send fake messages to the CEO, containing instructions to wire money to a fake supplier account or to induce employees to participate in another scam involving frauds that involve compromise of business emails (BEC) scams,” Carpenter said.
Communication, behaviour and management of culture
Carpenter said that organizations should offer ongoing security education to their workers in the following three categories:
- Communication
- Behaviour
- Culture management
He also shared with TechRepublic the key elements teachers can apply to create lessons for each segment.
Communication lessons
- Learn about your viewers and what they value.
- Attract people’s attention and make them feel emotional. Make your message compelling. Don’t just relay facts; instead, use stories and examples to make your message more memorable.
- Create a clear statement informing your team of what they must do.
Behaviour lessons
- Recognize the knowledge-intention-behavior gap as a reality that affects any behavior you hope to encourage or discourage. Your team members may possess the skills they require and can make the right decisions, but your objective is to influence their behavior eventually.
- Humans don’t have a rational mind. It is our responsibility to assist people with instructions, tools, and methods that help enable them to be more comfortable and more natural.
- Set up training and tools as close to the actual point of behavior as possible.
Culture management lessons
- Learn about your current culture as it is through culture measurement surveys such as focused groups, observations, and much more.
- Create structures, pressures, rewards, and rituals designed to remain in place and reflect the distinct differences among different groups. Consider identifying possible “culture leaders” who are trained and able to support the attitude and behavior you would like to see within your group.
EPM and phishing simulations
The year 2021 was the one in which IBM found that the attack on an endpoint cost $4.27 million. When hybrid work models become the norm and the threat surface grows with millions of devices connected to corporate networks, security solutions such as endpoint privilege management (EPM) and phishing simulators will be able to address security vulnerabilities.
Accenture recently announced that EPMs could help users effectively and safely perform their jobs without risking breaches. EPMs grant endpoints a limited amount of privileges, removing administrators’ rights from their bases and determining which applications can run.
“Only verified, trusted apps are permitted to run, and they are allowed to run using the least restrictive amount of privileges”, Accenture explains.
Another security instrument becoming more essential to find weaknesses in the human factor and fill the security gaps while also informing users about phishing is phishing simulations.
IT teams replicate phishing campaigns using phishing simulations, allowing them to see how employees react. This helps teams evaluate their security measures, spot areas of weakness, and learn from the simulations.
“Even once you’ve achieved transformative outcomes, the journey never ends. The bad actors will always find new ways to thwart the best of our efforts.
The best way to counter this is to change and be committed to an ongoing improvement process constantly being made,” Carpenter said.