Cybersecurity risk is the top concern of CEOs around the world, with high risk and awareness prompting greater investment in network defenses and security functions within systems. But there is one threat that leaders cannot program: humans.
Indeed, recent Verizon research found that the human element continues to drive data breaches, accounting for 82% of all attacks.
“It’s all about humans,” said Perry Carpenter, Chief Evangelist and Head of Strategy at KnowBe4. “Technology, as good as it is, is not effective in stopping everything. And usually, humans are the reason a technology somehow fails.
Wickedness and ignorance do not lead to mistakes, “laziness” and stress are
Many organizations assume that employees are breaking security protocols because they have malicious intent or don’t know the rules. Carpenter suggests otherwise.
Instead, he said most employees don’t comply due to human nature; or more precisely, “laziness”.
“We all have limited energy but multiple tasks to complete each day,” Carpenter said. “When it comes to making decisions, we tend to take the easy route.”
In other words, employees are less likely to follow security policies if the policies prevent them from doing their jobs effectively. For example, when it comes to reporting suspicious emails, organizations typically require employees to follow certain guidelines, ranging from taking screenshots and entering relevant information to adding copies.
These steps bring value to the security team; but they are also time-consuming. This alone sets a hurdle for employees to follow.
Additionally, as a result of the pandemic and the sudden change in work environment, employees may feel overwhelmed. They may also be less inclined to follow safety protocols at home, compared to a work environment, Lauren Zink, safety program outreach manager at Indeed, said in an interview with SC Media. “Security teams should work with organizations to care for the mental well-being of employees, identifying and reducing sources of stress for them,”
A recent study from the University of Central Florida also found that violations are more likely to occur on days when employees are under stress, whether from “family demands that conflict with work,” “job security fears” and even “requirements of the cybersecurity policies themselves” that leave employees feeling watched.
“When our mental faculties are overwhelmed by emotions, such as stress, we revert to reflexive and automatic behaviors, including accidentally giving a password or clicking on phishing links when it comes to activities online,” Carpenter explained.
Security Awareness Programs Must Consider Human Nature
Indeed, traditional security awareness programs often rely on this mistaken assumption: if employees know the protocols, they will naturally do the right thing. But human nature causes many to dodge best practices in favor of convenience.
To change the mindset, Zink suggests that leadership not only educate employees about safety rules, but also explain why the rules are important to individuals and companies. Once employees understand the roles they play in keeping the organization safe, they will have more incentive to follow protocols.
The security team should also use simple language that employees can easily understand. Lance Spitzner, director of security awareness at the SANS Institute, told SC Media that the reason many security awareness programs have failed is because the people communicating are highly technical and have advanced training in technology. , but not communicating.
“We need to make training sessions more engaging and interactive for employees,” Spitzner said. “And we have to communicate on their terms.”
Partnership between people, politics and technology
Likewise, before blaming employees who override security protocols for convenience, organizations should review their policies and revise those that are time-consuming and difficult to follow. Spitzner cites password policies as an example of a critical component of activation that too often overlooks user experience. The requirement to create strong, unique passwords and reset them every 90 days is too demanding and inefficient and should be simplified with the help of password managers.
Beyond technology, Carpenter suggests that a company’s safety culture can be shaped by social pressure. For example, if all managers in the company log off their computers when leaving their desks, employees are more likely to do the same without being explicitly told to do so.
But if technological and political developments can ultimately take security responsibilities away from a single employee, why should organizations focus on security awareness programs?
Experts agree that even with the help of automation, the human element will remain an important factor in the cyber landscape. As technology eliminates more and more gaps, new ones will continue to emerge in an ever-changing ecosystem.
“To keep the environment safe, it should never be one or the other,” Carpenter said. Instead, it should be a “partnership between people and technology.”