This time last year, many businesses were still assessing the long-term viability of hybrid working
While there was recognition that change was in motion, twelve months on and it’s safe to say this ‘new age’ of operating has become the norm. The evolution in work practices has brought cybersecurity sharply into focus; not only is the threat landscape more vast and complex than it’s ever been before, the frequency and severity of attacks is the highest we’ve ever seen. The scary thing is just how normal this is now also becoming, as businesses struggle to keep pace with this evolving challenge.
As a result, many organisations are falling into the trap of assuming their cybersecurity challenges are being caused solely by technology shortfalls. Whilst it’s undoubtedly critical to have the right tools in place, many companies are overlooking what human factors they also need to consider. A large amount of security incidents (40%, by conservative estimates) are caused by human behaviour, such as clicking on a phishing link. Companies can have all the tools in the world at their disposal, but if the root cause is driven by human actions that are not protected or controlled, then they remain vulnerable to a breach.
This is why I believe it’s really important for businesses to start considering how investments into human-focused initiatives, such as changes in company culture and training, can have a positive benefit on cybersecurity posture. Let me explain why.
One of the key challenges businesses have is not only a lack of cybersecurity knowledge amongst their workforces, but also a lack of confidence in reporting a possible breach or threat that may be connected to them, over fear of punishment or shaming. At a time when cyber attacks are happening more regularly, this stubborn cultural problem is presenting huge security risks to businesses.
In addition, it’s also having a halo effect on the retention of the staff members that are tasked with managing their company’s cyber protection, as the unsustainable 24/7 nature of information security is leading to burnout and fatigue. Further research has found that nearly half (41%) of UK-based IT security managers are actively considering whether to leave their cybersecurity job in the next six months, while less than a quarter would be likely to recommend a career in cybersecurity.
While this isn’t exact science, there are some fundamental step changes businesses can take to overcome this challenge. Firstly, it’s the implementation of training, to ensure staff are equipped with the right knowledge to be able to identify possible threats. Leaders need to ensure their worker enrollment involves training and certification opportunities for all types of employees, to prepare them for any potential threats and attacks in the future. Businesses can then supplement these team skills with the technology and expertise of a suitable security partner to get the balance right. These multiplier forces working together can have a positive effect on an organisation’s overall security posture, enabling staff to handle strategic initiatives and key priorities effectively.
Secondly, it’s a shift in culture in terms of how they manage their cybersecurity. This means building an approach of trust and empowerment, where employees feel comfortable reporting security-related incidents, accidents, or mistakes to IT. Even so-called security professionals make mistakes, nobody is immune to a well motivated adversary. So if there is the acceptance that people can and do make mistakes within cybersecurity, rather than there being a culture of blame, then employees will feel empowered and encouraged to speak up.
This can also have a positive effect on minimising the increasing threat of insider cyber threats. As loneliness amongst employees increases and workplace loyalty erodes as a result of hybrid working, naming and shaming workers for cybersecurity breaches could encourage staff members to retaliate adversely, as they choose to expose their company’s security out of frustration. By adopting a more inclusive and collective approach to cybersecurity from the word go, it can help to alleviate any feelings of blame or anger amongst employees.
While there is no silver bullet solution for cybersecurity protection, it is clear that people and processes have a huge role to play. To focus solely on technology is to ignore half the problem. Ultimately, if businesses can find the right blend between both the technology and human sides of their cybersecurity operations, this will have a transformative effect on their operations going forward.
About the Author
Ian McShane is VP Strategy at Arctic Wolf. The cybersecurity industry has an effectiveness problem. Every year new technologies, vendors, and solutions emerge, and yet despite this constant innovation we continue to see high profile breaches in the headlines. All organizations know they need better security, but the dizzying array of options leave resource-constrained IT and security leaders wondering how to proceed. At Arctic Wolf, our mission is to End Cyber Risk through effective security operations.
Featured image: ©Tierney