We have been hearing a lot about humans being the weakest link in cybersecurity management. We have also seen a lot of surveys and research reports indicating the same. The one below that is attributed to IBM says 95% of all successful cyber-attacks are caused by human error.
What does this mean to a business leader? We shall try to unravel it in this blog post.
“Humans” in your business will broadly mean employees and sometimes suppliers and customers. Here in this blog, we will confine this definition to employees only. Now let us go ahead and see how your employees play a very crucial role in maintaining your cybersecurity posture.
We are all riding a wave of digital transformation where digital technologies are used to create new — or modify existing — business processes, culture, and customer experiences to meet changing business and market requirements and businesses that are slow to adopt will be decimated from existence. Digital transformation has not only exposed but also amplified the inherent vulnerabilities of our businesses and primary amongst them is human resources. I have shared the statistics obtained from the World Economic Forum (WEF) plenary on cyber insurance, which shows a significant portion of the claims made fall under the category “Negligence or malfeasance of employees”.
As business leaders how do we need to address this? Well before we go into it let us quickly understand the cyber challenge we will face as a business from the employees. For this, we need to categorize the employees as unwitting and malicious.
From the above illustration we have seen the ways in which unwitting employees are duped, now let’s look at the ways in which we can reduce the risks, but before we proceed in there, we need to bear in mind the following:
- Employees always have the best intentions for their company
- They are not trying to actively open the door for the hackers
- They just want to do their job in the easiest possible way
- They think that the way they work is most secure
So how do we address this risk? The answer is AWARENESS, AWARENESS & AWARENESS
Create an ONGOING, RELEVANT, AND ENGAGING training program where you will evaluate their weaknesses, educate them, empower them with the tools to securely perform their jobs, and frequently examine them to monitor the effectiveness of the training and to again evaluate if their security skills are relevant and consistent.
As an example, we have seen employees across several businesses having one common security weakness – writing down their access passwords on a piece of paper and to stick it somewhere around their desk. This is like locking your house doors and leaving the keys also around it. Educating the employees to give up this habit is the only the first step but understanding the underlying reasons for this behavior will help us empower them with an improved security perception. In this example, the underlying reason could be forgetfulness, to overcome this we may have to empower them by tweaking the assess control policy that will make life easy for them without compromising the security policies of the organization.
To be continued, in the next post we will see more about malicious employees…
About the author
Sudhakar S Narayan is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified lead auditor in ISO Information Security Management System (ISMS) and ISO Business Continuity Management System (BCMS). He has more than two decades of experience in Information Assurance. He is currently a Principal Consultant and Director at SSD Tech.