Why one of your biggest security risks is human
Did you know that as many as 88% of data breaches are the result of human error? You may be investing in the most robust and up-to-date security technologies around (as you should), but these are often rendered ineffective by poor awareness or security understanding by your workforce.
The scale of the risk that workforces pose from a cybersecurity perspective is often overlooked. Many organisations find themselves in one of two situations: they don’t address the human side of security adequately, or they pretty much don’t do it at all. In this blog, we’ll take a look at why the traditional approach isn’t working, and how the concept of ‘human risk’ should be applied to create a secure culture.
What’s wrong with the traditional approach?
Many traditional forms of cyber-security training don’t really cut the mustard, and on closer inspection, it’s easy to see why. Far too often, it’s still treated as a tick-box exercise, something that employees do once a year strictly for compliance purposes. Only after something goes wrong is greater focus given to this crucial area, and a reaction (or punishment) considered necessary.
Additionally, audits often concentrate solely on basic training and phishing awareness, and won’t cover other human-related vulnerabilities like forwarding sensitive work emails to personal addresses. And many businesses don’t have the expertise in place to know that the solutions they have aren’t sufficient to cover every foreseeable risk.
Thankfully, times are finally changing. Security professionals have realised that, as difficult as it may be, a more comprehensive approach is needed - not only to security technology, but also around a more proactive, engaging mindset for human security practices.
Introducing secure culture
That new mindset is represented by the concept of human risk and creating a secure culture. Instead of treating security best practice as a function, this concept involves embedding that best practice within the psychology of a workforce so that it becomes second nature.
To achieve this, it’s important to understand how human risks materialise, what can be done to prevent them, and how this fits into the overall cybersecurity control framework. Then you can empower individuals with the knowledge and processes to manage the risk themselves.
Certainly, a security training platform is a good place to start in building the knowledge base among the workforce. However, properly addressing human risk requires a deeper, layered approach, and should also include practices like looking at security incidents from all angles to understand the frequent root causes behind them. The findings from these investigations can then be risk-assessed, and improvements recommended based upon them.
Why creating a secure culture is the way forward
When employees understand the security risks they’re vulnerable to, understand the consequences of them, and know what actions to take to avoid those risks, it becomes far easier to embed a secure culture throughout an organisation. That culture can be built on three pillars:
- Effectiveness: increased levels of employee compliance, embedding compliance into business practices, and therefore lowering costs of managing human risk
- Engagement: better quality of employee understanding through enhanced perceptions of control functions, supported by smart frameworks that enable business
- Sustainability: flexible frameworks that meet business specifics allow the right balance of security and productivity to be struck, even as environments change
Ultimately, the above represents a significant departure from the security approaches of old, and so it’s natural that such a change of mindset can be difficult for businesses to deal with. However, the importance of addressing these risks and avoiding the costly consequences of a breach makes it a necessary step.
It’s the businesses that are forward-thinking in looking at security through the prism of human risk management that will be best placed to stay secure in the months and years ahead. They will also be signalling to their employees, customers and other stakeholders that they take the human side of security seriously, which can help strengthen their brand and reputation.
So while an employee clicking on a seemingly harmless link in an email may sound relatively trivial, it represents one of the biggest challenges in business today - one that the concept of ‘human risk’ can help solve.
Find out more about creating a secure culture in our on-demand webinar: “Mitigating Human Risk: How to build a secure culture”. Watch on-demand to explore how to identify human risk, how risks can be mitigated with existing tools, what a controlled human risk culture looks like, and much more.