Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.
Imagine you receive an email from your CEO instructing you to make an urgent wire transfer to a supplier. Since this email is from the C-suite, you immediately take action and make the transfer, never pausing to think about whether the request was indeed made by the CEO.
This is just one example of a business email compromise attack (also known as CEO fraud), a scam the FBI says inflicted $51 billion in damages to global organizations.
Human Error Is The Primary Cause Of Data Breaches Worldwide
Phishing, social engineering and misconfigurations are some common types of human errors that can lead to the theft of sensitive data, ransomware attacks and infiltration attempts. A 2023 report by Thales claims that human error and misconfigurations are the primary root cause in 55% of all security breaches, making these twin threats the biggest security concern for businesses.
The exploitation of known vulnerabilities is reported to be the second most impactful root cause of security breaches. This usually happens when organizations are slow in reacting to known vulnerabilities (like Log4j) and fail to patch systems regularly, which can be considered another type of human error. As I’ve written about in the past, hybrid work is another one; with more people working remotely, they are prone to distractions and interruptions, which can lead to more security incidents.
As an overview, earlier this year, Verizon released its annual data investigations, which found that 74% of all breaches involve people either via errors, privilege misuse, stolen credentials or social engineering. Overall, I find that organizations still lack focus on the cybersecurity industry’s Achilles heel: people.
Cybersecurity Culture As The Key To Thwarting Breaches
I find that many large businesses that have significant investments in security technologies regularly suffer breaches because few stakeholders view cybersecurity seriously. To tackle human error head-on, I believe organizations must focus on building and nurturing a culture of security; I’ve emphasized in the past how culture is the most important thing to help shape or alter security behaviors, norms, attitudes and beliefs in employees, helping make them more aware and mindful of human errors.
Here are some actionable steps to initiate the process.
1. Assess Your Cybersecurity Culture
Understand whether your employees value cybersecurity. Is there a common culture across departments or do individuals behave independently? Look at reflexes, patterns and behaviors, historical data sets, results from phishing simulation exercises, etc., to assess the security maturity of employees. Including third-party suppliers and partners in this equation can help make your assessment more robust.
2. Review Employee Interactions
Conduct a thorough review of the various information flows and devices as well as your employees’ interactions with high-value and sensitive assets and proprietary data. Understand the usual stresses, triggers and hurdles employees face; identify areas prone to manipulation.
3. Analyze Past Mistakes
Cyberattacks and incidents that occurred in the past are one of the first places that security teams should review to identify weak spots and failings. Try to avoid obsessing over a particular vulnerability reported in the news or being overly influenced by alerts issued by security tools. Instead, look at the whole picture and study the key root causes. You want to understand causes, not just symptoms. For example, malware is a symptom; how the threat infiltrated the business is the root cause.
4. Re-Engineer Tools, Processes And Training
Once you gain a handle on the general vulnerabilities, pressure points and past failures, re-engineer cybersecurity tools, processes and training efforts to achieve the desired employee behavior. Explain to staff why changes are being made to help gain wide consensus and support. It is also important for employees to undergo regular security training. Evidence proves that security training significantly reduces the risk of phishing attacks.
5. Leverage Technology-Based Controls Where Helpful
While excessive use of tools and technology can add complexity to cybersecurity monitoring and management, leveraging AI and automation can help reduce the risk of human error. For example, you can deploy phishing-resistant multifactor authentication to reduce the risk of identity theft and impersonation. You can also promote the use of password managers to improve credential hygiene. Lastly, I recommend that you utilize AI and automation to patch systems, monitor networks, report abnormal behavior, tighten controls, isolate devices for inspection, cut off the network when under attack and carry out incident response.
Addressing human error is a challenging endeavor that requires time, effort and extensive training. Patience is needed, as many employees lack the necessary cybersecurity skills and interest.
A crucial aspect is creating a supportive environment that celebrates security best practices and avoids oppressive, punitive measures. I believe that building a strong cybersecurity culture cannot be left to chance; it must be intentionally cultivated. Therefore, leadership should assume responsibility for culture and set a positive example. By maintaining focus and commitment to fostering a robust cybersecurity culture, organizations can build a secure and resilient future.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here