Strategies for Mitigating the Human Element of Cyber Risk

By Anurag Lal, President and CEO of NetSfere [ Join Cybersecurity Insiders ]
579

The primary cause of the majority of data breaches today is human error. Verizon’s 2024 Data Breach Investigations Report (DBIR) found that 68% of all breaches involved a non-malicious human element in 2023. This data highlights the critical need for enterprises to mitigate the human element of cyber risk to keep digital assets safe and secure.

As cyber threats continue to grow in frequency and sophistication and the human factor remains a threat to cybersecurity, more CISOs than ever (80%) see human risk, in particular negligent employees, as a key cybersecurity concern over the next two years.

Cybercriminals are also well aware that the human element can be a gateway to infiltrating systems and accessing sensitive business information. Bad actors are targeting employees with a barrage of malware, phishing, social engineering, and password attacks designed to exploit human vulnerabilities. Research by Fortinet found that 81% of organizations faced malware, phishing, and password attacks last year which were mainly targeted at users.

There is no doubt that people are critical to the cybersecurity of enterprises. As such, organizations must integrate the human element into data security strategies to transform employees from a cybersecurity vulnerability to a cybersecurity strength.

To mitigate the human element of cyber risk, enterprises must take a proactive, human-centric approach to cybersecurity that includes:

Investing in employee awareness training

Providing regular cybersecurity training that educates employees on common threats such as phishing, malware and social engineering and teaches cybersecurity best practices reduces the risk of human error, helping employees take proactive steps to protect sensitive company data and information. Investing in this training is also the cheapest, easiest way to boost cybersecurity, according to the National Cybersecurity Alliance.

Regular training sessions should equip employees with the tools and knowledge they need to spot and combat cyber threats. Training should address topics such as how to identify suspicious links and attachments, the necessity of creating strong passwords, the importance of adhering to security policies, and the proper procedures for promptly reporting security incidents.

To increase the effectiveness of cybersecurity training, enterprises should also make training role-specific so that it is more relevant and impactful, conduct phishing simulations to help users recognize what real-world attacks look like, and reinforce that everyone plays a critical role in keeping the organization cyber secure.

Setting and enforcing clear policies

Employees can become one of the most effective security controls in an organization when clear cybersecurity policies are established, communicated, and enforced. These policies should prohibit the use of shadow IT (the use of unsanctioned applications that are not monitored and managed by the enterprise IT department) and define acceptable use for BYOD (bring your own device).

Policies prohibiting the use of shadow IT are particularly important for employees to be aware of and understand. The danger of employee use of shadow IT such as unsecure messaging apps lies in lack of IT control. IT teams can’t control what they don’t know about which can lead to unauthorized access to an organization’s IT infrastructure. Setting and enforcing policies that prohibit the use of shadow IT means employees will avoid using apps and tools that can increase enterprise risk exposure to data breaches and compliance violations.

To combat the cyber risks introduced by BYOD, security leaders should establish and enforce BYOD policies that define acceptable use including what devices and apps are permissible. This policy should also outline the security protocols that must be followed such as creating strong passwords, enabling multi-factor authentication, avoiding public Wi-Fi, and never leaving devices unattended.

Implementing a zero trust architecture

Enterprises should also adopt zero trust, a framework that mandates identity verification and authentication for all users and devices, to help reduce the human cyber risk factor and enhance data protection, usability, and governance in the digital workplace. As part of zero trust, enterprises should implement strong identity and access management including multifactor authentication and biometric technologies such as facial recognition. By implementing a zero trust approach, organizations can minimize the risk of unauthorized access, strengthen data protection, and enhance overall security.

Building a strong security culture

Building a strong security culture is critical for mitigating the human element of cyber risk, yet many organizations are lacking in this area. According to a survey of IT and cybersecurity professionals by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA), more than one-quarter (27%) of respondents rate their organization’s cybersecurity culture as fair or poor. A weak security culture is a significant problem for organizations that can lead to the exposure of sensitive business information.

Building a strong security culture in an organization involves not only training but also fostering an environment where employees understand that security is a shared responsibility across the enterprise and where all employees understand their role in reducing cyber risk. Fostering a culture that makes employees partners in safeguarding enterprise data and information goes a long way toward minimizing the human element of cyber risk.

Providing employees with secure by design collaboration tools

When employees are provided with secure collaboration tools, they will not turn to unsecure messaging and collaboration apps that expand the cyberattack surface in organizations. Today, CISO’s are increasingly concerned about the widening attack surface created by the proliferation of these tools in the enterprise. According to data from Proofpoint, 39% of CISOs view Slack/Teams/Zoom/other collaboration tools as one of the top three systems introducing risk to their organizations.

Using secure by design mobile messaging technology closes security gaps created by employee use of unsecure communication and collaboration apps that leave enterprises vulnerable to cyberattacks and data breaches. Mobile messaging platforms designed for the enterprise feature end-to-end encryption (E2EE), protecting data at rest and in transit, ensuring that only the sender and receiver can read messages. The E2EE built into these platforms coupled with robust administrative controls that embed data security and compliance into business communication across every channel reduce the attack surface, providing no point of entry for malicious hackers intent on accessing sensitive enterprise data.

Encouraging reporting of security incidents

To be human is to make mistakes and cybersecurity errors will happen. When employees do err by clicking on a suspicious link or becoming the victim of social engineering, it is important for them to understand how to report security incidents like these. Enterprises should establish procedures and clear channels of communication for reporting potential security incidents or suspicious activities. This allows organizations to initiate the response process more quickly and raise awareness of reported incidents or suspicious activities so other employees do not fall victim to these attacks.

Wrapping up

There is no question that the human element is critical for effectively preventing cyber intrusions. To mitigate the human error behind 68% of the cyber breaches occurring today, enterprises should take a proactive, human-centric approach to cybersecurity. That approach should include investing in employee awareness training, setting and enforcing clear policies, implementing a zero trust architecture, building a strong security culture, providing employees with secure by design collaboration tools and encouraging reporting of security incidents.

Ad

No posts to display