When it is said that a server needs to be bastioned, cybersecurity personnel have an idea of what it is and what it consists of. But what about securing or securitising people? Employees are company assets and as such are involved in the cycle of generating a service, system or product. Is it enough to simply bastion systems and networks and improve productivity processes to be secure? What is the importance of the human factor in cyber security?
The article Threats and major cyber-attacks in 2021, highlights the most notable attacks in 2021. Both ransomware and phishing are highlighted, and both require, in most cases, especially phishing, human interaction.
In fact, it has been established that 1 in 5 security breaches originate from a direct or indirect employee error, in most cases unconsciously.
Changing passwords, an action carried out periodically by users, is considered a tedious and repetitive action, where users incur in the use of the same patterns of passwords or the use of those already used in public networks.
This prevents them from seeing and understanding the importance of this type of actions on the generation of services or products.
The human factor is a key element of security, as it is involved in all the operational processes of an organisation.
The human factor in cybersecurity
There have been major improvements in applications, hardware, application of AI and Big Data, training and other security actions. Some of these are aimed directly at people, such as training and awareness.
But if there is a growing awareness of cybersecurity in companies, why is the human factor still considered a weak link in cybersecurity?
The human factor should be considered as a basic element of cyber security, taking into account that all cyber security actions, in one way or another, require human interaction at some point. Both technical actions (bastioning a firewall) and cybersecurity training actions (designing a training plan), as well as defining a security structure, are designed by people.
To address the problem of human error, some professionals have designed methods based on human factor risk analysis. In this analysis, the different risks associated with the human factor and systems are evaluated, and different values are given to each of the risks, according to the methodology itself.
Based on the results obtained, security managers can identify those systems and classes of users most exposed to risk or vulnerable, and take decisions and measures to mitigate these risks, without impacting the rest of the environment. It is these types of actions and measures that can help strengthen and improve the relationship between cybersecurity and the human factor.
Security is part of the corporate culture
Commitment to security must be part of the business culture and not a handicap in terms of productivity or service generation. The message that safety belongs to everyone and that it must be applied jointly and in a participatory manner must be reinforced.
This requires cybersecurity plans in which multiple areas participate, contributing their knowledge and ideas and carrying out joint cross-cutting actions. The success of these initiatives requires the leadership of security-related figures such as the CISO or DPI (Directorate of Information Protection).
A company’s management must have first-hand knowledge of cybersecurity plans and be able to convey this to its employees, always advocating a global commitment.
Cybersecurity is increasingly a recurring topic in company committees and meetings, approaching the importance of strategy or budgets.
The commitment of all members of an organisation to cyber security will help to reduce the occurrence of cyber incidents and, in some cases, reduce the impact of a cyber incident and make recovery more effective.
Security by default and underlying principle
Not all organisations carry out an analysis after an attack to find out what the error or vulnerability was. This means that the cyber-attack or a similar attack may be repeated because the weaknesses and vulnerabilities, whether structural, organisational or technical, are not known.
The concept of security by default and basic principle should be applied to the basis and structure of an organisation, to the internal processes of the company, and to the way employees act at all times, and should and must seek the global involvement of the organisation.
We can take as an example the world of development, where security by default is more widely established as an almost indispensable requirement and as part of the basic design of the product, from the phase of the minimum viable product (MVP) onwards.
Security policies and procedures are insufficient to protect an organisation, especially if they are unknown or not enforced by employees.
It is the actions of users, whether by applying technical measures such as training or taking security actions, that protect organisations. This is to remove the stigma that security by default hinders or impedes internal processes and work functions in general.
However, lack of training or lack of qualified IT security personnel cannot be ruled out as one of the main causes for implementing security by default measures.
This is a handicap for companies that require qualified personnel with the necessary skills to perform security functions.
The human firewall is awareness and training
There is no silver bullet to fully reinforce the human factor and prevent it from being the weak link in cyber security. Initiatives to encourage cyber security training, awareness raising, team-blue team network exercises, phishing campaigns and reinforcing training are all actions that will help corporate cyber security but will not prevent cyber attacks and in some cases will not be sufficient to mitigate or contain them.
However, the best human firewall is investment and action in awareness and training.
Currently, there are many types of training, capacity building, initiatives, but it is recommended to innovate in order to capture the user’s attention, for example, through “gamification” type actions, which encourage the user’s own participation and interaction.
Another type of cybersecurity awareness initiative that could be more stimulating is the reward and recognition of those employees who participate in the detection of vulnerabilities, security flaws, both at technical and management level, as opposed to continuously sending out unmotivating and not very visual awareness pills.
Awareness and training initiatives are treated as important topics in large corporations and a large part of the budget is dedicated to them, but it is still an unfinished business in small and medium-sized enterprises.
According to PwC’s Digital Trust Insights 2021 report, 55% of the companies participating in the study increased their cybersecurity budget during 2021. Training is a key consideration in cybersecurity. Training should not only focus on the development and improvement of hardskills, but also value and encourage the development of softskills in all staff.
The best weapon against cybercriminals is investment in awareness and training of the human factor, a key element for companies.