People make mistakes, and human error has given cybercriminals an attack route into the assets of company after company.
Employees may click on phishing scams, send data to the wrong recipients or give third parties the wrong access privileges. The results can cripple your organisation. And if human error is the problem, training is the obvious solution.
But in practice, it doesn’t always work that way. The best way to reduce cyber risk is not necessarily more training for your people; it’s to not trust people in the first place. While that may sound cynical, the reality is that there are simply too many chances for any of us to accidentally compromise ourselves or our networks, regardless of how much training we’ve had. Let’s look beyond training to find the measures that can make an organisation and its users more secure.
Accept that people can be a business risk
There is no doubt that human element of cybersecurity is a major source of risk. Almost a third of Australian businesses say employee naiveté about cybersecurity is their biggest email security challenge, while around two-thirds believe that risky behaviour from staff is putting their company in danger. According to reports from the Office of the Australian Information Commissioner (OAIC), 30% of data breaches are the direct result of human error.
Cybersecurity training is becoming increasingly standard across all business sectors, but the number of cyber incidents is still rising every year (they’re up 13% in Australia and 10% in New Zealand). Employees can click through all the cybersecurity decks in the world, watch videos and get solid marks in online training as many times as you ask them to, but that won’t always stop someone making a mistake when it counts.
What training can and cannot achieve
That’s not to say that training has no value. Training executives can help them make decisions that balance opportunity and reward with the need to keep data safe. CEOs can learn to collaborate with their CISOs more effectively, and put cyber at the heart of company culture.
Training the rest of your staff, meanwhile, can reduce the impact of phishing scams and reinforce password security. But training will never fully eradicate human error, and all too often it is seen as a time sink by employees.
As threats become more varied, with attackers seeking traction via IoT devices, employee devices or increasingly sophisticated spoofing techniques, the chance for people to make mistakes becomes larger and larger, despite growing awareness. The answer is to help staff and customers stay out of trouble by strengthening procedures and networks. Combined with awareness training, these are some of the best, proven ways to cultivate cyber resilience.
Know your networks
Before you begin a cybersecurity programme, you must build a good understanding of your data. What are your biggest defence priorities? What data is managed by you, and what falls on the shoulders of cloud partners or other third parties? Are there obvious attack points such as eCommerce portals?
You needn’t do all this work yourself. Penetration tests can probe vulnerabilities and report back on them, while threat intelligence can give you a breakdown of what’s coming your way. A good cloud partner will spend serious time and energy ensuring its infrastructure is protected, taking at least some of the strain off you.
Protect your data
If your staff don’t have access to critical data, they can’t accidentally expose it. Access should be denied by default, and opened up on a case-by-case basis. Digital-rights management can limit the actions (such as saving or sharing) that can be undertaken with individual documents or files. A clear security policy governing crucial data and passwords is also essential, and the clearer it is, the less training you'll need to reinforce its messages. Segmentation, in which traffic is grouped and tagged by function, with access granted only to defined segments, is another way to limit who has access to sensitive data.
Increasing numbers of companies are adopting a holistic zero-trust approach, which seeks to secure every single node in your network. Here, users and their devices are authenticated and each request on the network is evaluated and authorised separately.
Monitor your traffic – and the people driving it
Monitoring is another vital tool in your cybersecurity box. Data can be watermarked with information about who accessed it and when. Activity-monitoring tools can also be used to detect suspicious activity and security mistakes. Encouraging a culture of mutual accountability, in which staff are encouraged to look out for potential dangers and breaches, becomes an extra safety net and is one way that training can help secure your data.
Limit actions to limit threats
Setting clear, delineated processes can also reduce human error. Some companies ban attachments from emails, and the US Defense Department has stripped links from emails since 2015. Closer to home, Service NSW introduced a secure data transfer app after a breach to safely send documents to other government agencies – confidential files were previously shared via email.
There are other ways to limit your attack surface. In an age in which increased remote working and the use of personal devices is making the idea of a single perimeter feel like ancient history, some organisations require workers to use company laptops or work via remote desktops. Others specify the encryption and antivirus software that staff should run on their devices.
Why security training is important, but isn’t the final answer
Training and awareness campaigns are key components of cybersecurity. They can go a long way in reducing the risk of the human element in cybersecurity, but they aren’t a cure-all. People will always make mistakes. Knowing your networks and protecting the data on them by limiting access, monitoring behaviour and controlling email systems and hardware, in addition to awareness training, is far more likely to get the results you’re looking for. Rather than relying on training to prevent human error entirely, you should rely on training to minimise the risk of human error, while making sure you have the systems in place to manage your vulnerabilities across the board.