13 Aug The Human Error
With almost 88% of data breaches being caused by an employee mistake, a strong human risk management programme with regular employee training and cybersecurity awareness is critical, says Carey van Vlaanderen, CEO of ESET Southern Africa.
Ask any cybersecurity specialist about their biggest network safety concern, and it’s likely that they’ll answer: the human element. No matter how resilient or intelligent the cybersecurity solution, it can only be as effective as its weakest link, and people are always a risk. Whether it’s recycling passwords, a company laptop being stolen or lost with confidential client information, or intentionally overriding company security policies – humans are the biggest threat in the cybersecurity space. Chief Security Officers, CIOs and individuals in similar positions of responsibility spend a lot of their time worrying not about technology, but about people.
Humans make mistakes. These mistakes range from failure to properly delete data from devices to preventable errors like clicking on links in phishing emails, to misconfigured network devices and servers. Humans are also capable of negligence, unfortunately. Data leaks that arise because of human error, such as failure to update security patches or correctly configure servers with known vulnerabilities, are on the rise and now occur almost as frequently as direct security attacks. Then there are insider threats, which are unimaginably difficult to detect. From malicious employees or an employee whose credentials have been compromised, all of these vulnerabilities share a common root: humans.
Managing human risk from the inside
An effective programme for managing human risk involves several key components. These include providing regular training and increasing employee awareness, establishing clear policies and procedures, maintaining efficient communication channels, developing plans to respond to security incidents, and conducting regular security assessments to identify and minimise potential risks. Other necessary steps include implementing robust access controls, monitoring network activity, reviewing and updating security policies while fostering a culture that prioritises security. Cybersecurity awareness and training work hand-in-hand to address the human element of risk in a number of ways:
Prevention of human error: Awareness
and training can help employees
understand their role in maintaining
security integrity and avoid common
mistakes that can lead to breaches. For
example, they can learn how to create
strong passwords, how to identify
phishing emails and how to properly
handle sensitive data.
Early detection: Cybersecurity
awareness and training can teach
employees how to recognise and report
suspicious activity. This can help identify
security incidents early, allowing for a
quicker response and minimising the
impact of an attack.
Improved incident response:
Employees who have received
cybersecurity training is more likely to
know how to respond to security incidents
by following established procedures and
protocols to minimise the damage caused
by an attack.
Creating a culture of security:
Cybersecurity awareness and training can
help create a culture of security within the
enterprise. When employees understand
the importance of security and their role
in maintaining it, they are more likely to
take it seriously and make it a priority.
Focusing on managing human risk and security training requires strong leadership from within. Leadership commitment is a key ingredient in achieving the organisational momentum needed to create an ongoing culture of learning and growth. With executive buy-in, sustained investment is possible in the necessary training and development resources such as courses, workshops and mentorship programmes.
Balancing security training and production
With the increasing tech talent shortage in the Middle East, CIOs are scrambling to ensure that employees brush up on skills and technologies that facilitate business agility and resilience, with cybersecurity knowledge topping the list, despite competing priorities.
Training and upskilling need to be a deliberate exercise, but small teams are often vulnerable to the delivery pressure created by the current needs of the business. This means that critical training (such as cybersecurity training) takes second place behind current projects, which results in a short-term productivity gain at the expense of long-term skills progress. Creating a balance of short-term project delivery and upskilling/training as outputs to current projects is essential.
Constant vigilance and continuous learning
By providing regular cybersecurity training and increasing employee awareness, organisations can prevent human errors, detect incidents early, improve incident response and create a deep culture of security. As cyber threats increase in complexity and frequency, investing in security skills training is a critical step towards ensuring the protection of people, assets and data from threats, both internal and external.