When the traditional monitoring gaps no longer helped companies navigate the tricky business of safeguarding assets, more robust ways to fight the rampant attacks had to be introduced. Machine learning and artificial intelligence (AI) came in to strengthen cybersecurity. The technology investments replaced human errors and behaviours by offloading human decisions onto AI.
However, innovations like AI have often not been able to deliver 100% results. Sometimes, the face recognition software fails or the spam filter misses the phishing emails. In such cases, human judgment is still essential to fulfil security capabilities. Our expert, Csaba Virag, Director of Capacity Building at Talgen Cybersecurity, believes that ‘’the pace of digitalisation will continue to grow. Internet is the only domain where everyone can have the same access and can use it to their own advantage. In my understanding, human is the end goal in cybersecurity. And being resilient and competent is more complex than it seems.’’
The human element is where cybercrime begins and ends as well. We are the most common target entry points to data theft and cybercrimes. While both technology and humans are not fail-proof, what are companies doing to tackle the cyberwar?
To Err is Human
Organisations are now adopting in-depth cultural change and predictive analytics to reduce human risk. ‘’There is definitely an attitude shift in companies towards cybersecurity post pandemic situation.’’ The remote working structures have forced organisations to focus on the security gaps and work on loose endpoints.
Comprehensive security awareness training gives employees the power of best tactics to prevent, respond to and recover from an attack. Yet, cybercrimes are situations where prompt response and action is required. Therefore, adaptive learning solutions and scenario-based principles can help people develop situational recall and serve critical decision-making.
While such training can be powerful, they are incomplete without analytics that provides actionable insight. In order to reduce opportunities for hackers and educate employees, we have to combat two kinds of human threats – negligence and malicious intent.
Human Negligence
As humans, we all can translate to cybersecurity risks in multiple forms. From bad password habits to not reporting real-time issues, humans fall prey to their own shortcomings. Thus, hackers target human laziness and fallibility for their most effective attacks. It is reported that 45% of people reuse their main email account password on other services. And with remote working post-Covid-19, using pre-set passwords that IoT devices come with is not adequate security. ‘The human will click on the link, they will use weak passwords.’’ As a member of the ENISA Advisory Group, Virag shared that here ‘the solution will be to not allow them to use weak passwords.’’
Additionally, data reveals that people compromise information under a time crunch or when they are in a role-sensitive situation. Similarly, employees tend to self-diagnose problems instead of flagging them to the management. Yearly training can hardly cover such personal behavioural issues as people have limited attention and can’t absorb all the information they just learned.
This is the first lesson for companies to focus on – building situational memory or a habitual response for employees – as a long-term solution.
Secondly, humans tend to get lazy or distracted easily when it comes to technology. Behavioural economists say that employees may defer to the option of ‘remind me later’ for regular updates and put the system at high risk. Virag stressed on ‘the devices that don’t receive manufacturer support; we have billions of devices that are not updated and are vulnerable. They can be exploited as a network of bots.’’
Here, it gets crucial to instil clarity and transparency about the policies and the importance of why they exist. Having such policies based on behaviour becomes a self-enforcing metric for people to take punctual actions whenever required. “Legislative background on a global level shall also be established supporting that manufacturers and service providers are compliant with the expected cybersecurity practices.’’
Malicious Intent
Though data suggests most individuals do not have malicious intent, some do. From a trust standpoint, organizations struggle to find the right talent with employable skill sets who can securely manage and sustain the environment.
You can provide immense training to your employees, but that isn’t likely to change the behaviour to a large extent. Training lacks a concrete sense of how to make what they learned actionable. Thus, organizations started investing in technologies designed to detect insider threats and behaviour monitoring.
Yet, controlling malicious intent is quite tricky. ‘It’s a lot easier to get credentials from a person than figuring out the system, getting the right resources unless the used system has commonly known vulnerabilities or security measures are easy to bypass and it is easy to exploit.’’
As an organization, while administrating workplace monitoring to reduce insider threats, you might be ignoring the employees’ right to privacy. This can reverse your attempts at security and lead to cultural rifts and loss of trust amongst employees. Adopt solutions and policies that enable inclusion and provide immersive training experiences. Keeping data security as a priority has to be a collective effort from all levels of the organization.
Learning is the Key
Cybersecurity is fundamentally a people problem. As long as we are willing to learn and grow, the scope of reducing cyber attacks is a possibility. The same human elements posed as threats can be reversely utilized for the growth of cybersecurity.
According to experts, the phenomenon of social proof can have powerful effects here. People have a tendency to get influenced by other people, those who are similar to them, and they are willing to learn how to act from them. In the enterprise setting, employers can leverage social proof to help employees identify desirable behaviours and motivate them to take them on.
Alternatively, the training sessions should not be limited to one-way knowledge transfers. It should be an ongoing process and have built-in feedback for employees to learn about their errors and how they can avoid them in the future.
Many organizations are still not aware of the usefulness of creating a culture of cybersecurity. While many are coming together to combat these challenges. As Csaba Virag believes, ‘It’s a joint effort. You need to have different aspects and professionals together.’’
It only takes one in a million to breach the security and cost the entire enterprise. ‘It’s like getting ready for the competition. Exercise, exercise, exercise.’’
Get your hands on the latest cybersecurity updates. Sign up for our newsletter!
