[By Perry Carpenter, chief evangelist and security officer, KnowBe4]
If burglars were breaking into your front door every day, would you decide to protect your windows? This is what cybersecurity practitioners are doing and it makes no logical sense. Nearly 90 percent of cyber incidents are due to human error and yet only four percent of cybersecurity budgets are allocated to training and development initiatives.
The fact is, people cannot be subtracted from the cybersecurity equation; we need people to make it all work. So how can cybersecurity change to being more human-centered or people-focused?
1. Alter Your Mindset: Realize its people over tools
As cybersecurity professionals, we’ve all been in this boat before. We make massive investments in technologies and yet we have this sense of vulnerability because we know there’s a window of error because we’re human beings. It is people who build technology, it’s people who own the digital assets and information, it’s people who attack people and systems, and it’s people that build cyber defenses and processes that protect against these attacks. Regardless of whatever type of automation or AI we use, there will always be a human in the loop.
2. Focus On Root Causes
When a cyberattack succeeds, is it a people or a policy problem? Is it a technology problem? Chances are, it’s a combination of these. For instance, we can certainly blame employees for using easy passwords. But that only addresses the problem with a single user at a time. Wouldn’t it be a better approach to get to the root cause? What is it about the current password policy or implementation that is causing so much password reuse? Does the current process or policy demand a high cognitive load? Or is this just a case of employees not being trained or reminded enough?
3. Learn The Art Of Communication
In cybersecurity, there’s this common misunderstanding and false narrative that people are the weakest link. Security teams can be guilty of having a superiority complex; we’re heroes, we’re trying to do the best thing and other folks are to blame. This creates an antagonistic “us versus them” mindset. Even competent, technical senior people are being scammed by social engineering attacks. Security teams alone cannot win this fight. It necessitates equipping users with the right information to make informed decisions. This information must be explained in a language that resonates.
4. Find Ways To Understand, Empower And Motivate People
Instead of criticizing people, empower and motivate them so they feel confident and valued; they should see themselves as part of the solution. Practice active listening to help understand their perspective instead of judging too quickly. Maybe they’re cutting corners with security because current processes are preventing them from accomplishing their work. Are there incentives that can be offered to excite or motivate them? Can you run contests and games to make it more fun and engaging? Explain that cybersecurity isn’t something that only impacts the organization, it can also affect their families. Avoid taking a fear-based, punitive approach.
5. Decrease Burden On People And Increase Usability
When considering usability, it is common for it to be an afterthought. We develop a product or process and only towards the end do a few people, mostly from the security team, review it. However, it would be more beneficial to engage stakeholders who will use or be impacted by the product or process from the beginning. Gathering their thoughts and feedback through usability testing, not only on the technology but also on security policies and communications, can improve the user experience. By sharing it with a small group of representative users and asking for their feedback, valuable insights can result. Offload repetitive tasks to automation, recognizing that technology can perform certain workloads better than humans. This includes finding ways to prevent phishing emails from reaching users in the first place.
Cybersecurity Helps People Navigate Daily Threats
Previously, we lived in a society where leaving our front doors unlocked posed little concern. We now install digital cameras instead of doorbells, home security alarms and other layers of protection. Similarly, we’re two generations away in cyber where kids coming into the world have a default mindset of being safe online and making good security decisions naturally.
Today, adults find themselves in a similar position, where they need to accept this reality, work with it, and make necessary adjustments. No doubt, there’s been a huge shift in public awareness, recognizing cybersecurity as not only an IT risk, but a business, people and a privacy risk.
While we may not all be experts in medicine, most of us possess basic knowledge of first aid. We carry this knowledge with us throughout our lives, applying it in various situations. Similarly, if individuals have engaged in security awareness programs and phishing simulation exercises, they are more likely to be familiar with social engineering red flags. Their critical thinking skills and security instincts will enable them to quickly adapt to new and evolving threats.
But if no effort has been made to educate or remind people of these risks, the task can become overwhelming and burdensome. To avoid overwhelming users, it is beneficial to regularly supplement their knowledge and skills in manageable increments, tailored to their specific needs, and aligned with their expected level of usability. Make security programs more human-centric instead of being overly reliant on technology.
