Cybersecurity is a broad topic with plenty of unique elements to discuss. When we consider how people contribute to the overall narrative associated with Cyberecurity today – it is helpful to start by classifying humans into two categories. The first group of people we can call “Bad Actors”. These are the cybercriminals and hackers that continue to launch a myriad of sophisticated cyber-attacks against organizations with some type of malicious intent.
The second category of people are called “Good Actors”. These are IT and cybersecurity professionals who defend organizations from attacks. These are executives who develop and sponsor information security plans and programs for organizations and these are also the people who consume technology with no malicious intent. Millions of people who simply use their computer and applications to get their job done each day.
Perhaps the most troubling statistic reported in the 2021 Verizon Data Breach Investigation report was that 85% of all cybersecurity breaches involved a Human Element. Ok… so what does that mean exactly?
It means that the Good Actors are still the weakest part of most organizations’ cybersecurity defense strategy. People with good intentions are contributing to successful cyber-attacks, incidents, and breaches in a very accidental, unsuspecting, and innocent way. Good Actors are making mistakes that enable the Bad Actors to succeed.
We have listed a few examples of how this phenomenon occurs regularly each and every day.
Good Actors often fall victim to social engineering attacks such as phishing. They receive a legit looking email from Best Buy telling them to click a button or link to retrieve a $20 coupon. So, they click the link and unsuspectingly download malware.
Good Actors that have elevated privileges such as Domain or Local Administrator accounts might modify the permissions on a folder to allow someone else to access the folder more easily than before. There was good intent behind their action – they were trying to help a fellow co-worker – but the changes made to the security settings just made it easier for a Bad Actor to succeed.
We see Data Mishandling occur all the time. As an employee perhaps I am told to save my spreadsheets to a network drive but instead I save them to my local desktop. It may seem like a small mistake, but the reality is my desktop does not have the same protections that the file server does and therefore I have made it easier for the Bad Actor to succeed.
What happens if the corporate email is temporarily unavailable? Good Actors send sensitive information using their personal email accounts instead. Now the email is not encrypted and the Unapproved Work Around has once again made it easier for the Bad Actors to succeed.
When Good Actors decide to use their personal laptop for work or decided to download and install unapproved software they will once again make it easier for the bad actor to succeed.
IT professionals who are tasked with deploying new hardware, systems and applications can easily forget to configure important cybersecurity setting settings. The technology is still functional – but not secure. This is yet another example of a Good Actor unknowingly making it easier for Bad Actors to succeed.
IT professionals can also neglect system maintenance – such as patching operating systems and applications. These tasks are easier to ignore when faced with end user support activities but again – a Good Actor now contributes to the Bad Actor’s success.
Lastly when we consider all the different software, we use we need to remember that the software is created by humans, most of them would be Good Actors. But the development of new software tends to be rushed and the software is released with security flaws. Simple oversights or mistakes that occurred in the development process.
The real story is that the Bad Actors are depending on the Good Actors to make mistakes and therefore people with good intentions are contributing to successful cybersecurity incidents and breaches.
What can we do about this? What can be done to reduce the number of mistakes humas make? How can we confidently respond to cybersecurity incidents that arise from human error?
First, draft and publish a comprehensive set of information security policies. Good policy will provide rules and guidelines for people to follow. Good policy will influence the behavior and actions of people too. Most people know what they can and cannot wear to the office because there is a Dress Code Policy. Those same people have no clue if they are allowed to use their personal email account to send work related emails. Set rules for how people interact with and consume technology and you will define for them what being a good cybersecurity steward looks like.
Second, develop a formal cybersecurity awareness training program. Educate people how to detect and respond to common social engineering attacks. We know not to pet a dog that has its ears pinned back, hair standing on its neck and snarling teeth exposed. We were taught at young age to detect the signs of danger when deciding whether to pet a dog. People also need to be taught how to detect the signs of danger when navigating their inbox. They should learn how to confidently identify a phishing email and not click on the link or attachment that will let the Bad Actor win.
Lastly, appreciate that good policy and awareness training will reduce the rate of human error, but it will not eliminate it. People will still make mistakes, just less of them. Draft and operationalize an incident response plan. A good incident response plan will provide specific procedures for responding to and recovering from a successful cybersecurity incident.
Provide structure for people to follow (policy), teach them how behave (security awareness training) and prepare for the occasions when mistakes still allow for successful cybersecurity incidents (incident response planning). This how you can address the human element associated with cybersecurity.