The human element in cybersecurity

AD360 | December 14, 2021 | 3 min read

According to IBM’s Cost of a Data Breach Report 2021, the global average cost of a data breach is estimated to be $4.24 million. Cyberattacks cost organizations time and money, not only in the form of data loss but also through irreversible damage to their reputations, leading to the loss of customers. After security breaches, customer loyalty is almost impossible to regain. With a critical rise in malware threats and ransomware attacks across the world, major corporations are doing what seems like the obvious solution: investing billions in cybersecurity strategies to strengthen their defenses against such attacks. Yet rising technological advancements like ML and AI are being deployed not only by tech-savvy companies but also by attackers themselves.

In the race to develop and implement the latest technology, the greatest cyberthreat itself remains overlooked — human behavior. According to IBM’s 2014 Cyber Security Intelligence Index, it is estimated that 95% of cybersecurity breaches are due to human error. People and technology are two sides of cybersecurity. As important as it is to install the latest security update on a device, it is equally necessary for users to be wary and practice good cyber hygiene. Predictable human behavior is the leading cause of security breaches because it is a lot easier for a hacker to utilize behavioral patterns than to work their way around sophisticated security measures. As much as humans are susceptible to cyber risks, they are also the first line of defense against any potential cyberthreat.

It’s important for organizations to develop and implement cybersecurity solutions to address human fallibility. Since each user’s personal cyber hygiene habits have a large impact on the overall security of an organization, behavioral economics and analytics can be used to understand why users make bad security decisions, like using weak passwords and sharing office devices.

With the impact of the COVID-19 pandemic, which is expected to last for years, it is urgent that we secure our digital environments. While many people worked remotely through the first year of the pandemic, there is now a shift as organizations look to adopt a hybrid workplace model. In a hybrid model where employees will constantly move in and out of offices, so will their devices. In such a scenario where employees spend half their workweek at the office and the other half at home, it becomes challenging to monitor and govern their security practices.

Organization-wide awareness

The easiest way to introduce cybersecurity awareness as an organization-wide practice is to educate end users about their role in cybersecurity. The decisions regarding the implementation of the latest security applications are made at the CTO level, but how much of that information is relayed to end users? For instance, phishing emails are a constant threat for any organization. According to Verizon’s 2019 Data Breach Investigations Report, email was the delivery mechanism used in 94% of malware attacks. Nearly all ransomware attacks employ phishing links. Awareness regarding the consequences of simply clicking a link in an unknown email must be spread across the organization. Employees need to know safe practices, and managers need to ensure their teams remain vigilant.

Employees must be required to perform various security actions, such as using MFA, logging in through a VPN, and encrypting sensitive data. Organizations can also do their part by sending company-wide emails instructing employees to complete all the required software updates as and when they are rolled out. With so many employees working remotely, such timely reminders will ensure business continuity with less risk due to human error.

Training with measurable goals

To perform safe cybersecurity practices, employees need to know what those practices are in the first place. Hence, all employees must undergo cybersecurity awareness training. Rather than being tool-specific, training programs must focus on a broader understanding of cybersecurity and the application of safe practices within and without the organization’s premises.

Training must encourage employees to change their behavior and approach to security practices. It must also have specific, measurable goals so that employee learning can be monitored. Methods like e-learning allow employees to learn at their own pace. Setting deadlines keeps them focused and helps in tracking their understanding. Feedback regarding the helpfulness of the training programs must be collected from employees periodically to keep them updated and engaged.

Employees must also be taught to set boundaries while working remotely in order to avoid personal distractions that may lead to risky practices. Such practices have become non-negotiable in hybrid workplaces.

Understanding the bigger picture 

Since data breaches can irreparably damage a brand’s reputation, organizations must cultivate a security-minded culture at all levels. Cybersecurity should be integrated with other elements of organizational culture. Every employee should see the critical role they play in keeping organizational data and resources secure. Cybersecurity should be a top responsibility of all employees rather than an ignored IT email. The importance of cybersecurity practices must resonate with them to become part of their behavioral patterns eventually, even outside the office environment, which is essential for a hybrid workplace.

Thus, a robust cybersecurity strategy that is largely people-driven and integrated with technology is the way to go in a hybrid workplace model.