As the volume and stakes of cyberattacks continue to escalate, organisations are increasingly investing in innovative new services and equipment to thwart attacks.
By Brian Pinnock, EMEA vice-president of sales engineering at Mimecast
But, at the same time, many are still taking a customary, one-size-fits-all approach to securing perhaps the most critical threat vector: the human element.
There’s little to be gained by spending more on locks and security guards if someone unknowingly leaves the door open for intruders to enter the building. Now more than ever, organisations need to embrace a positive and impactful culture of cybersecurity.
Year after year, the human element consistently ranks among the greatest risk factors in cybersecurity. In Europe, the Middle East and Africa, half of the data breaches are initiated internally and it is predicted that 90% of all data breaches around the world will involve a human element in 2024.
The standard practice of mandated security awareness training isn’t driving improvement, as stolen credentials, data leaks, and targeted phishing emails remain prevalent. To address this critical vulnerability, CISOs must take a more data-driven, tailored approach to mitigating human risk that goes beyond just training. It requires human-by-design cybersecurity.
Quantifying risk
Security awareness training helps but is inadequate as it treats every employee the same. In reality, some users are highly adept at sniffing out threats, while others require additional support. Some subsets of users are targeted with greater regularity, while others receive very few phishing attempts. As such, a human-centric security approach must begin with a detailed understanding of the organisation’s distribution of risk.
The first step is identifying those at the company who are most at risk. Studies have found that just 8% of employees are involved in 80% of incidents, and many in this subset are typically repeat offenders. Certain individuals are also targeted more frequently due to their roles: managers receive 2,5-times more phishing emails on average than non-managers, and the rate of attempts goes up for all employees the longer they remain at a company, nearly doubling every three years.
These figures can vary widely between organisations, so it’s key for businesses to perform their own analysis. This can be done by analysing data that’s often overlooked—like the logs generated by security endpoints when they prevent employees from executing malware—and gathering patterns from it. In the ideal framework, security administrators should be able to pull data from all manner of security tools to understand what good or risky security decisions users make on an ongoing basis and build a profile on users’ individual risk levels.
Managing risk
Much like financial institutions with credit scores or insurance companies with premiums, organisations can then begin leveraging these risk scores to create a personalised, adaptive approach to security, beginning with tailored training.
Rather than making all employees complete the same generic security awareness modules (which many people may skip through with little attention paid if the training is too long, too frequent or uninteresting), individuals who have proven themselves a low risk can instead be served a light slate of policy reminders and checklists. Those on the opposite end of the spectrum, who are either frequently targeted or will be, can be mandated to take more rigorous training with a focus on the topics related to the risks they face.
With detailed insights into behaviour patterns, organisations can also reward good security practices with recognition. They can then take steps to stem bad habits with interventions like adaptive nudges – personalised messages sent at the right time or context to prevent users from falling victim to attacks – or strategies such as tighter email security filtering, stricter browsing permissions, or reducing the time that multi-factor authentication tokens are valid on at-risk users’ machines.
It is important that these practices are carried out with transparency. When security teams take a constructive stance—for example, by sending out report cards that affirm positive behaviour and suggest areas to improve—employees almost universally respond with openness and appreciation. For the small percentage of users in the high-risk group, extra care should be taken to explain how additional training and adaptive measures are designed to help them get better.
Tracking improvement
Collecting and analysing security events also allows administrators to take a more data-driven approach to measuring results and, ideally, improvement. By gauging their baseline, security teams can then track the number of risky behaviours occurring on the network over time and dial in the best methods of “bubble wrapping” subsets of the user base to reduce future occurrences.
This measurability stands in stark contrast to conventional human risk mitigation practices (i.e. simple awareness training), which can often take the form of a black hole in terms of understanding impact, and in turn, ROI. With an objective, outcomes-first approach, CISOs can both deliver security improvement and clearly demonstrate the success of the investment to the rest of the C-suite.
As threat actors get smarter about how they target employees, the onus is on organisations and their cybersecurity partners to create a strong line of defence—and the human element is a critical component. Companies that take a more intelligent, personalised approach to curbing risky behaviour will stand the best chance of safeguarding their organisations against cyberattacks, all while making more efficient use of their security budgets.