To Err is Human: The Fallibility in Cybersecurity

cost of cyber attacks to the global economy - IX TelecomHumans are the weakest link in cybersecurity, and the large mismatch between the demand and supply in the cybersecurity workforce only makes it worse. According to Deloitte, the invisibility of cyber risks due to the skill gap in organizations can cause a pitfall as its management is typically delegated among lower-level IT professionals and service providers, and less that of senior-level and digital transformation leaders.

Let’s run the numbers: by 2021, we can expect 3.5 million unfilled cybersecurity jobs alongside a 6 million annual cost of cyber attacks to the global economy. To echo the issue, ISACA State of Cybersecurity 2019 reports a close 70% of respondents perceiving their companies’ cybersecurity team as understaffed. This begs the question: with the skill gap remaining an industry conundrum without closure, are organizations undermining the human element in cybersecurity?

The Human Element
As “The Human Element” dons the front page and main theme of RSA 2020, across all topics of cyberthreats, the conference highlighted the often-overlooked dimension of cybersecurity: people themselves – the make or break, the human factor.

human aspect of cybersecurityIn a world interconnected, the network of networks is the entire internet of people and things, where every machine-to-machine connection is moderated human interaction. Such networks can be those of collaborations, but also of opposition and threat – there is no inside or outside. Hence, amidst rapid technology advancements making the gazettes, humans remain central to cybersecurity in a multiplex manner: not only are we the target, we are also the solution and the problem.

As cyberthreats persist in pulling back the ideal promises of digital transformation, what remains a limiting factor and a glaring pitfall in any organization’s security strategy are humans themselves. How much do human errors cost in organizations’ cybersecurity strategies? Let’s take a look at the numbers reported in the 2019 Cost of a Data Breach Report from IBM and the Ponemon Institute:

humans are the weakest link in cybersecurity

From the statistics shown, it is also worth echoing findings by OGL Computer – healthcare is deemed a top-listed sector under the cyberthreat-spotlight, followed by telecommunications and the legal industry. Verizon reports that 31% of healthcare breaches are caused by human error, making it a bigger concern than phishing and malware. With integrated security, IX Health provides digital solutions to drive seamless efficiency in healthcare.

The human fallibility is the highlight of cyber attackers’ playing ground, exploited in their social engineering attacks. Compared to malicious breaching using brute force, deceiving users into compromising their own networks has proven to be easier work for them. To err is human – and in the case of cybersecurity, we’re all vulnerable to cyber incidents resulting from errors in human perception, judgment, decision, or execution.

Social engineering attacks against enterprises have grown to be more complex and sophisticated. Unfortunately, there is no absolute assurance that human error can be avoided, be it skill-based or decision-based carelessness. Regardless, it shouldn’t be left inevitable – it’s vital for companies to ensure a risk-smart culture among their employees so that they are capable of identifying social engineering attacks and responding to them.

Nurturing the human firewall
Amidst the rapid adoption of digital technologies across different sectors, it is easy to forget the human dimension that mediates it. All the hype around AI and ML technology can give us the misconception that it’s all about machines – an automation takeover making our existing human workforce obsolete, some might say. Alas, it’s not all there is. People play a key role in defending your organization and identifying threats that could pose a threat to your security.

human error in cybersecurity
The big cruncher is how to prevent human error in cybersecurity – it’s all in the foundation.

To establish a strong posture against the landscape of cybercrimes, reinforcing each aspect of their infrastructure – especially the human aspect of cybersecurity should go hand-in-hand with adopting industry-grade cybersecurity solutions. With the right investment in training and engaging the workforce in cybersecurity awareness, companies can help develop the right behavior in their employees. Employees’ keen ability in recognizing and responding to threats can be the deciding factor on whether or not they fall prey to cyberattacks.

Cyberthreats may render the fall of businesses, but organizations can also rise above it. With the emphasis on the human dimension in cybersecurity strategies, companies can fend against the shape-shifting cyberthreat landscape by shaping a cyber-minded, risk-smart culture in the workplace. This, of course, starts with CEO leadership. The serious undertaking of cybersecurity by leaders will permeate throughout the organization, and help create a culture of enhanced cybersecurity awareness in all levels.

Nurturing the human firewall to boost the organization’s security culture is mainly done through employee education, minimizing human vulnerability, and staying aware of new threats. Some of the key ways to achieve this are as follows:

Engross the workforce in security-related simulations
Aside from promoting best practices in cybersecurity and compliance methods, companies must also focus on Security-as-Code in training employees to think and act with security in mind. Shift away from conventional training methods – instead, look into innovative forms of experiential and real-time learning, such as cyberattack and phishing simulations to engross them in security-related situations. With hands-on practice, employees can also learn the correct response to potential threats.

Jump on gamification techniques to foster a security-centric mindset
When it comes to polishing the right security behaviour, companies need to work out what works best for their people instead of forcing a one-size-fits-all. Whether it’s a straightforward practice-and-reward system, storytelling micro-videos, or even gamification through cyber knowledge assessment quizzes, escape rooms, and war-gaming exercises, these techniques can enhance cybersecurity training and incentivize and reward people who demonstrate positive behavioural changes.

Create an ecosystem of security education
Building a security-as-code culture requires top-down leadership commitment and not one-off events. Collaborative work among HR leaders with CSOs and IT security teams is needed to map out the risk landscape, define organizational tolerance, and mitigation steps without overlooking the external ecosystem of customers, B2B clients, and third parties. Within the workforce itself, ensuring that security stays at the forefront is to always encourage discussion surrounding it, promote simple security procedures, encourage reporting on incidents, advocate inquiry as part of the learning process, and use multiple channels like posters and reminders to help employees keep security in mind.

IX and Cybersecurity: Machine-driven, Human-mediated
As humans remain the constant mediator in the equation of digital transformation, we ought to look at the human risk in a different light. The IX approach is essential and direct – navigate, integrate, support. In that sense, we are committed to making borderless connectivity not only seamless but also secure. Driven by the latest technologies in our suite of cybersecurity solutions, we leverage the powers of machine-driven analytics and automation, without ever losing sight of the human touch.