Securing your organization’s human layer

January 21, 2020

We all make mistakes. In fact, making mistakes is a core part of the human experience, as it’s how we grow and learn. When it comes to cybersecurity, however, human error is often overlooked.

Minimizing threats from within is more important than ever for every organization. Based on a study by IBM, 95% of data breaches is attributed to human error. So while it seems like the hoodie-clad hacker is the obvious enemy, your staff members are actually the biggest risk to your organization. Unlike hackers, however, most employees aren’t actively seeking to cause their companies harm. They are just inconsistent when it comes to adhering to security policy.

Let’s take a look at some bad security habits employees do that put companies at risk:

  • Accessing the internet via unsecured Wi-Fi networks
  • Failing to delete unnecessary but confidential information from computers
  • Sharing passwords with others
  • Using the same account credentials across multiple websites
  • Using generic USB drives that aren’t properly encrypted to store sensitive data
  • Leaving computers unattended when outside the workplace
  • Failing to notify organizations after losing USB drives and other devices with confidential information
  • Not using proper privacy settings when working remotely
  • Using unsecured personal mobile devices to access the organizational network
  • Carelessly opening links and attachments found in phishing emails

Just like with most cyberthreats, the risks posed by human error can best be addressed through a combination of training and technology. While it may seem like the best route to better security is solely through the procurement of technical solutions, people and processes are actually fundamental to your cybersecurity strategy.

Here’s how to make your cybersecurity framework more human-centric:

  • Identify – Find points where employees interact with technology and data. Assess their security-related behavior and practices so you can determine if there are areas that need more security or if you need to pay attention to human patterns and trends that put your systems at risk.
  • Protect – Schedule security awareness campaigns and implement behavior management programs for sensitive areas such as phishing, social engineering, password hygiene, etc. Make sure that your processes and technologies enforce safe behavior and steer the workforce towards a proper security mindset.
  • Detect – Train employees on processes for identifying and reporting suspected phishing events. A good way to start is to conduct simulated phishing tests to determine where you need to enhance training or other processes.
  • Respond – Establish policies and protocols for how your organization will respond to different kinds of employee-related security errors. For example, what steps should they take in case of a data breach? Who can they alert? Having remediation measures in place can help mitigate threats from doing further damage.
  • Recover – Implement post-incident reviews and communication so you’ll know how to improve your security posture and prevent future attacks.

Awareness, effective training, and proper policies and protocols help create an extensive knowledge base for your employees to draw upon when faced with actual situations.