“The best defence against cyberattacks is not technological cybersecurity solutions, but rather the strengthening of the human aspect. “– Perry Carpenter, a cybersecurity veteran, author, and chief evangelist-security officer for KnowBe4.
According to Verizon’s Business 2022 Data Breach Investigations Report, 82% of all attacks still involve people, which is why breaches continue to occur. Additionally, attacks are becoming more violent, with ransomware rising 13% in just 24 months—a rise greater than that of the previous five years put together.
The cost of human activity is revealed in the Verizon report. “People remain—by far—the weakest link in an organisation’s cybersecurity defences,” the company claims.
The human factor in cyber security isn’t so much about insiders acting maliciously on purpose than it is about unintentional errors made by users who neglect to implement basic controls, like limiting authorisations on cloud databases, or who are duped by emails that appear to be legitimate but actually contain malicious links.
The Gap Between Knowledge, Intentions, and Actions
“Just because your team members are aware of something doesn’t mean they will care,” Carpenter stated. Despite the expenditures firms make in creating effective cybersecurity awareness programmes for all employees, breaches continue to occur, which is explained by the knowledge-intention-behaviour gap.
Carpenter claims that even though employees may be conscious of the risks and threats, how they operate, and what has to be done to avoid them, they still don’t take the essential precautions to protect the business.
Companies need to close the knowledge and intention gaps in order to promote the right behaviours among their workforces and reverse this situation. Dealing with human nature is a necessary strategy, one that the highly technological cybersecurity sector struggles with.
Collaborating in Harmony with Human Nature
Because cybercriminal groups have mastered its manipulation, effective cybersecurity programmes take into account human nature. Leaders may be wondering why, if their employees are aware of scams and phishing attacks, they continue to fall for them.
Carpenter asserts that the solution has little to do with how intelligent the workforce is. The most effective hacking methods focus on how they can control people’s emotions rather than using complex software. Attackers take advantage of human traits including impulsivity, empathy, curiosity, and ambition.
Another strategy is the time-tested marketing tactic of giving things away for nothing. Bulk clickbait advertising campaigns can be very successful, and for cybercriminals, they serve as entry points for the distribution of malware and ransomware. They will promise money, business possibilities, or even simply a free car wash since they know how difficult it is for people to refuse a seemingly good and alluring offer.
Using employee data they get on social media and internet sites, cybercriminals are also developing highly tailored assaults. Additionally, they will take advantage of that relationship and pose as persons in positions of authority inside the corporation since they are aware that an employer responds to a manager, HR, or the CEO of a company.“They send fake messages from the CEO with instructions to wire funds to a bogus supplier account or trick employees into other fraudulent business email compromise (BEC) schemes,” Carpenter said.
Communication, Behaviour, and Culture Management
Carpenter outlined three areas in which businesses should continuously teach their staff about security:
- Culture management
- Recognise your audience’s priorities.
- Make your messaging appealing by drawing people in and evoking emotion. Share tales and anecdotes rather than just facts to make your points.
- Have a clear call to action and specify for your teams what they should do.
- Recognise that the knowledge, intention, and behaviour gap influence any behaviour you want to promote or prevent. Even if your team members are well-intentioned and have the necessary knowledge, your ultimate objective is to change their habits.
- People lack common sense. With the use of cues, resources, and procedures that facilitate actions and make them seem more natural, we must assist them.
- Put training and tools as close as you can to the point of behaviour.
Culture Management Lessons
- Utilise culture assessment tools such as focus groups, observation, questionnaires, and more to comprehend your culture as it is today.
- Find possible “culture carriers” who are capable of promoting the attitudes and conduct you want to see displayed throughout your entire team.
- Create continuing structures, demands, incentives, and rituals that take into account the distinctive distinctions among various groups.
However, IT firms can go beyond education. They can identify the most exposed individuals and target them for education by routinely executing simulated phishing assaults. Set up a special internal email account and ask users to forward any odd emails so that they can be investigated before being dealt with.
Additionally, employees must be mandated to take a number of security measures, including utilising MFA, connecting via a VPN, and encrypting sensitive information. Organisations can also contribute by directing staff to complete all necessary software updates as they are released in company-wide communications. Due to the large number of workers who work remotely, prompt reminders will guarantee business continuity while lowering the risk of human mistakes.
Understanding the Bigger Picture
Organizations must foster a security-conscious culture at all levels since data breaches can permanently harm a brand’s reputation. Cybersecurity needs to be linked with other corporate culture components. Every employee needs to understand how crucial a part they play in safeguarding the information and assets of the company. All employees should be held accountable for cybersecurity, not just for an IT email that is ignored. In order for cybersecurity measures to eventually become ingrained in their behaviour patterns even outside of the office, which is crucial for a hybrid workplace, they must be understood to be important.
In a hybrid workplace paradigm, a strong cybersecurity strategy that is primarily people-driven and technologically integrated is the way to go.