Are people still the weakest link in cybersecurity?
The workplace has changed forever. The rise of hybrid working means that employees can enjoy the best of both worlds and work wherever they can find an internet connection and at a time that is convenient to their lifestyle. It's a huge step forward in terms of progress. But securing the workplace in a post-pandemic world will require an improved combination of deterrence and retaliation in a more proactive approach to cybersecurity.
Although organizations constantly protect their digital assets from attackers outside of their infrastructure, the uncomfortable truth is that the biggest cybersecurity threat is much closer to home. Almost every reported data breach is often blamed on human error. These headlines suggest that the employees are always at fault. But the infamous disconnect between people and security is much more about the behavior and culture within an organization.
How did we get here?
Cyber attackers will target front-line employees and even the most diligent CEOs with highly sophisticated and often personalized attacks. The average LinkedIn profile and company website contain a treasure trove and perfect toolkit for a spear-phishing attack. Everything from email addresses, domains, work histories, connections, and the tech conference that the CEO or head of finance is attending.
These details make it easier for hackers to socially engineer a believable touchpoint to exploit. Unsuspecting employees are an easy target, but it's the keys they hold to the company network that is the ultimate goal. These are just a few reasons why 95% of breaches are blamed on human error.
Identifying a cyberattack can be more challenging for an employee than avoiding one in the first place.
We should be asking how employees found themselves vulnerable on the front line under constant attack without the tools they need to protect their employers.
What are companies getting wrong?
Organizations typically invest time and money into bolstering their cyber defences and supporting technology. There is a long list of anti-virus solutions, software and operating system patching, VPNs, encryption, and vulnerability scanning across every device. That's before they add support contracts, supplier meetings, and service desk requests into the mix. But how much do they invest in every employee in increasing their cybersecurity awareness?
The stale approach of the nightmarish annual security awareness refresher has become a box-ticking exercise.
Bombarding employees with a deluge of information at a time when they are feeling overwhelmed with their workload has proved to be ineffective. Users are still clicking on rogue links and infected attachments.
In a digital age of continuously evolving threats, most employees will assume their organization is already protected with the policies and procedures put in place by their IT department. Many will be unaware of the repercussions of clicking on an attachment, link in an email, or the role they could unwittingly play in a security breach.
We know that the actions of uninformed employees will inevitably lead to cybersecurity incidents. But businesses seldom invest in educating their staff on the dangers and raising awareness around phishing, social engineering, malware, and targeted attacks that could be coming their way every working day.
Improving cybersecurity awareness
Technology can filter out most of the threats, but it will never eliminate everything from reaching employees who represent the last line of defence. They will be faced with hacking, phishing, and ransomware attacks daily. But rather than creating a blame culture, every employee needs to be empowered and made to feel a part of the solution.
The arrival of a global pandemic changed how we all collaborate across teams and remain connected to our colleagues. We also need to remember that being bombarded with notifications continuously throughout the day has increased fatigue and burnout.
Staying alert and making good cybersecurity decisions is the last thing on the average worker's mind.
However, the reality is that every application, PC, smartphone, or tablet represents a potential attack vector. At the very least, every employee needs to be trained to identify a variety of attack vectors and know how to report cybersecurity threats to shut them down. To reach this security utopia, leaders are challenged with providing training methods that will be digestible in multiple learning styles.
Are people still the weakest link in cybersecurity? The answer is much more complicated and more extensive than the responsibilities of any individual employee. Your people should be seen as your most valued and powerful security assets rather than just another risk. It's time to think bigger than deterrence and retaliation. The corporate culture, behavior, and security awareness across the entire company will collectively offer greater protection against attackers.
If we have learned anything from the events of the last 12 months, it's that adapting to change is inevitable to thriving and surviving. Employees could be the first to spot an attack or potential breach and mitigate the risks. Cybersecurity is not just for IT security professionals, it has become everybody's business, and everyone should be encouraged to play an essential role in protecting the company they work for.