Humans are the weakest link in any security chain. It’s a longstanding business message, and with good reason.

Swathes of surveys and studies have concluded that staff are ultimately responsible for the vast majority of enterprise cybersecurity incidents, whether through clicking on compromised links, opening infected attachments, misconfiguring vital security tools, bringing in unpatched equipment, setting easily crackable passwords, or — in a small minority of cases — undertaking malicious activity themselves.

To cite just a few, Experian’s ‘Managing Insider Risk through Training and Culture’ report shows that 66% of data protection and privacy training professionals think their employees are indeed the ‘weakest link’.

84% attendees at Black Hat USA 2017, whose organisations had suffered cyberattacks, attributed those in part to human error. And, global brokerage firm Willis Towers Watson has claimed that it can trace a whopping 90% of cyber insurance claims back to some form of human error or, occasionally, deliberate behaviour.

So, as an IT department, how do you circumvent these issues commonly caused by the one thing (people) you don’t have absolute control over? The message is clear: strengthen your staff.

Organisations that take cybersecurity and data protection seriously need to take employee awareness and training seriously. While many people claim, not completely without evidence, that people can’t be trained in security, the reality is that you can train them to seek out help when needed.

As the proverb goes, you just need to train them to fish, not to cook.

Equip Your Team

A solid foundation of security tools and technologies are essential. Staff cannot be expected to be successful gatekeepers for your organisation’s data and applications if they are not supported with the proper tools to do so.

Get a password manager in place with licences for all employees. Offer up-to-date anti-malware software. And select vendors — when possible — that provide strong authentication options.

Train Your Team

Equipping your team isn’t enough. Make sure your team is aware of how to use the tools they’ve been provided with.

Consistent and clear communication is key for this. Whether it’s a regular email that is sent out on security updates / actions employees should be taking, or holding in-person trainings, employees need constant reminders of what they should be doing, how to do it, and to stay vigilant.

You need to make sure that your team understands what you’re asking of them and why.”

You also need to make sure that your team understands what you’re asking of them and why. For example, they won’t be much help in reporting a phishing email if they don’t know what it looks like, or what the potential consequences could be of a successful phishing attack.

They need to be able to ascertain when it’s okay to open an attachment or click on a link, or to understand what it looks like when their username and password has been compromised.

Most importantly, enterprises must be aware that a great deal of human error stems from staff falling victim to highly tailored attacks – that is, attacks which draw on personal information or individual context to manipulate the target into taking a misstep.

Guide Your Team

Do not neglect the processes and policies required to help your employees be successful security advocates. Set up clear instructions on how to report suspicious security incidents, including where employees need to report them and to whom.

You may wish to provide them with a contact card with important information to keep in their bags or on their lanyards.

Empower Your Team

Most importantly, create a culture of openness. Every enterprise cybersecurity strategy must assume that something will always, if occasionally, slip through.

Staff training and awareness must go beyond helping employees mitigate attacks in the first place, but also make people feel comfortable enough to speak up about the issue or take ownership of a potential security misstep.

Creating a culture of ownership is vital in a strong security architecture. Positive ownership of human error acknowledges that everybody makes mistakes — indeed, that human error is a characteristic part of any organisation — while also understanding that it is important to learn from said errors, and put processes in place to prevent the same ones from being made over and over.

Creating a culture of ownership is vital in a strong security architecture.”

The future of social engineering and human manipulation is likely to be ever more sophisticated. The rise of machine learning and artificial intelligence means that it is getting easier for malicious cybercriminals to develop highly targeted attack techniques — ones which learn from their own successes and failures, and propagate rapidly.

It is therefore essential for organisations to be able to stop the spread of social engineering as fast as possible, and this depends on people and processes as much as tools and technology.

Share this article