Advancements in cybersecurity have been growing exponentially, increasingly though we are fighting an automated adversary who is benefiting from the falling costs of compute to launch attacks. Organisations continue to invest record sums of money into cyber security products and services. However, with that being said there is a place within the cybersecurity world that still needs work – the human factor. Human error and complacency continues to be one of the leading contributors to cybersecurity breaches. This is due in part to an unsupportive work culture, cybersecurity is often ignored or overlooked until a serious problem occurs.
Human error and complacency continues to be one of the leading contributors to cybersecurity breaches
Organisations cannot be reliant on their cybersecurity systems if their workplace lacks a supportive and understanding culture. Employees can literally make or break an organisation’s security system depending on their compliance and understanding of the system itself. Adopting a strategic framework around cybersecurity that emphasises education and enforcing employees to respect the system greatly reduces risk.
Many people like to believe that cybersecurity products are a “one size fits all” solution to any threat on the internet, that IT are responsible for cybersecurity and anti-virus will protect us.
What users fail to acknowledge is that they too are responsible for the success or failures of their system.
The culture of most organisations don’t support best practices. From a lack of basic understanding of the methods used to launch everyday common cybersecurity attacks to a lack of enforcement of online safety procedures and protocols. Many people underestimate the consequences of their online actions and overestimate the capabilities of the cybersecurity system. While the system is designed to be a type of safeguard, members of any organisation on all levels have to be aware of the dangers they’re exposed to as well.
On the other hand, many organisations have been providing minimal awareness & training and as result have a tendency to create safety protocols that become more tedious than effective. The minimal training that’s provided doesn’t emphasise or well explain the simple dangers that lurk around the corners of the internet. Further, it is often delivered as one-time online training that is viewed by staff as a compliance task rather than ongoing reinforcement of good cyber hygiene practices. This then leads organisations to overcompensate by creating safety procedures that are difficult to follow, resulting in employees looking for ways to cut corners which gives way to the rise of shadow IT.
Many organisations have been providing minimal awareness & training and as result have a tendency to create safety protocols that become more tedious than effective.
One example that is easy to relate to is, the use of long convoluted passwords for multiple resources. Keeping track of numerous passwords can start to feel like a job on its own, some people find it easier to reset a password each time rather than memorising it or worse still, write the user names and passwords down on Post-it Notes which weakens the system further. There are different solutions to alleviate this problem such as requiring a password reset once or twice a year, requiring multi-factor authentication, utilising Password Managers and regularly enforcing other security procedures.
Socially speaking, it’s also better to encourage people to be aware of their mistakes and correct them as quickly as possible. Having a discouraging environment that punishes and ridicules people for their mistakes does not support healthy compliance. The idea should be to teach employees the importance of cybersecurity through constant reinforcement and debunk the idea that only those in IT can have an effect on the system. The truth of the matter is that cybersecurity involves every employee, establishing this culture will allow the system to function effectively and efficiently.
To teach employees the importance of cybersecurity through constant reinforcement and debunk the idea that only those in IT can have an effect on the system.
A New Perspective
Building a culture that promotes security and embraces employees requires a couple of factors. First and foremost at the top of the list needs to be training and educating employees at all levels of the organisation. While the higher executives are obvious targets, many entry points exist through lower level employees, they are in as much danger as anyone else in the organization. Keeping everyone aware of the current risks and security methods will further enforce an attentive cybersecurity culture.
One approach towards achieving this type efficiency is to create incentives so that employees are more encouraged to report suspicious activities. These incentives can also be used to further promote the proper use of safety protocols, incentives give people a sense of accomplishment. By enforcing this type of system, organisations will also be able to identify who isn’t complying with the program and drive behavioral change.
Something else that will encourage people to report problems or threats is by creating a simple reporting system. Part of the reason many fail to report any issues is because the protocol set in place is difficult, long and convoluted; the goal is to combat this by having a single place to report such issues. Making it as easy as clicking a single link that opens to an e-mail template or an internal website that works as a forum for employees to discuss new threats, identify possible solutions, submit suspicious files, or even ask questions.
Accountability is what has been missing in this sea of protocols and systematic rules. Without enforcers organisations must put complete blind trust in their employees, which is a lot of responsibility. A solution to this is to create a middleman, establishing leadership roles along with a supportive environment aligned with goals and initiatives will encourage better cybersecurity practices.
Accountability is what has been missing in this sea of protocols and systematic rules.
Creating a cyber aware culture and providing a supportive system will not only allow employees to be conscious of their online actions but, they will also feel encouraged to use the protocols set in place. Cybersecurity isn’t just protecting the organisation but it protects all the people that make up the organisation as well as their trading partners and customers. Just as the organisation relies on cybersecurity systems, they also must rely on their people with trust and reassurance.
As an aside, we believe that legacy antivirus no longer offers meaningful security value because it is no longer an effective means to prevent security breaches. Organisations now have access to a superior technology that eliminates the need for legacy AV, far surpasses it in terms of security value, and avoids the intangible, difficult-to-quantify, unquestioned costs of antivirus.