When it comes to cybersecurity, the emphasis is often placed on technology — specifically, how cyber attackers utilize it to execute assaults and the resources that organizations can utilize to safeguard their systems and data. However, this disregards the most crucial aspect in cybersecurity risk: human mistakes.
Human peril in cybersecurity
Proofpoint’s 2024 Voice of the CISO report revealed that three out of four (74%) chief information security officers (CISOs) indicated human error as their primary cybersecurity risk. This demonstrates notable growth from the previous year’s 60% of CISOs expressing this viewpoint. The study also highlighted a significant disparity between CISOs and the boardroom. Board members were less inclined (63%) to attribute human error compared to CISOs, indicating that CISOs should concentrate on educating both leadership and employees.
Several of the primary triggers for data loss incidents in the survey were directly linked to employees. The major response (42%) was negligent insider/employee carelessness, such as improper data handling by an employee. Other causes included a malicious or criminal insider (36%), stolen employee credentials (33%), and lost or stolen devices (28%).
The IBM 2024 threat index substantiates this conclusion, revealing that 30% of attacks commence with phishing. Nevertheless, phishing attacks have decreased from 2022, both in quantity and as the initial attack method. The report attributes this decline to the ongoing implementation and reassessment of phishing prevention methods and tactics.
Though a human might have been the one responsible for the error leading to the breach, it’s not necessarily the individual’s fault — except in cases of criminal insiders. Organizations need to take a proactive stance on cybersecurity, including offering training for employees to adopt secure practices while also implementing measures to minimize risks.
Explore the Threat Intelligence Index
Diminishing employee mistakes in cybersecurity
Mitigating human cybersecurity risks is not straightforward. A single program or training session cannot resolve the issue. Instead, organizations must adopt a comprehensive approach that fosters a cybersecurity culture and encourages every employee to consider cybersecurity as part of their role.
Here are three methods to tackle human risk in cybersecurity:
1. Employ AI tools to combat human error
Given that AI tools can anticipate human behavior, they can be particularly effective in defending against human risks in cybersecurity. The Proofpoint report disclosed that 87% of global CISOs are planning to integrate AI-powered capabilities to combat human error and advanced person-centric cyber threats.
2. Deliver extensive and ongoing employee training
While many companies conduct training sessions, these are often superficial, failing to bring about behavioral changes or instill a strong focus on cybersecurity. When designing a training program, take a holistic approach and tailor the training content based on the specific needs of different employee groups.
Start by analyzing past incidents to identify the most critical topics, such as instances of employees frequently falling for phishing attempts. Instead of annual training, consider providing regular short modules monthly to keep the subject matter fresh. Additionally, include cybersecurity training as part of the onboarding process for new employees to equip every staff member with consistent information at the onset of their tenure.
3. Foster a cybersecurity-conscious environment
Employees may find it easy to believe that cybersecurity is someone else’s duty. However, reducing human risk begins with changing this perspective and encouraging every employee to take responsibility for cybersecurity. While training is vital for this transformation, it also involves maintaining a continuous focus on cybersecurity throughout the entire organization. Instilling a cybersecurity mindset starts at the top, with leaders consistently discussing cybersecurity and emphasizing its significance.
Elevating human risk in cybersecurity
Cybersecurity is initiated and concluded by humans: individuals who launch the attacks and individuals with the capacity to thwart those attacks. By concentrating on the human aspect in cybersecurity, your organization can markedly reduce its risks. Nonetheless, this transformation does not occur through a single training session or even within a few months. Organizations must see this approach as a long-term endeavor, with the objective of empowering every employee to recognize that they possess the ability to influence their organization’s cybersecurity.