How to strengthen the human element of cybersecurity

Abraham Smith

IT professional works in front of a laptop
Image: Unsplash

The best defense against cyberattacks is not technological cybersecurity solutions, but empowering the human element, said Perry Carpenter – cybersecurity veteran, author and Chief Evangelist-Security Officer for KnowBe4.

Verizon’s Business 2022 Data Breach Investigations Report revealed that the human component continues to be the root cause of data breaches, accounting for 82% of all attacks. And attacks are becoming more aggressive, with ransomware up 13% in 24 months, a rise that’s higher than the past five years combined.

“As we continue to move into an increasingly digitized world, effective technological solutions, strong security frameworks and an increased focus on education will all help keep businesses safe and customers protected,” said Hans Vestberg, CEO and chairman of Verizon.

Verizon’s report reveals the cost of human impact. “People remain – by far – the weakest link in an organization’s cybersecurity defenses,” the company says.

KnowBe4, a security awareness training and mock phishing platform, recently released a resource kit designed to help IT and infosec professionals improve their human component of security. The organization said IT professionals still face challenges when it comes to creating a security awareness program.

Carpenter, in touch with TechRepublic, shared the human safety lessons he’s learned over the past few years. He warns that while rising cybersecurity statistics are a major concern, businesses should look beyond them.

“Unfortunately, knowing about cybersecurity threats is only half the battle. Do something about it – and more importantly, do something about it impede them — this is where you really should be spending your time,” Carpenter said. He explained that even those who study security awareness suffer from a fatal flaw: the gap between knowledge, intention and behavior.

SEE: Mobile Security Policy (TechRepublic Premium)

The gap between knowledge, intention and behavior

“Just because your team members know something doesn’t mean they’ll care,” Carpenter said. The gap between knowledge, intent, and behavior explains why security breaches continue to occur despite the investment companies are making in building strong cybersecurity awareness programs for all workers.

According to Carpenter, workers may be aware of the threats and risks, how they work and what they need to do to avoid them, but still fail to take the necessary actions to protect the company.

To reverse this situation, organizations need to close the gaps between knowledge and intent to encourage correct behavior among their employees. This requires an approach that the highly technical cybersecurity industry struggles with — working with human nature.

Working with human nature

Effective cybersecurity programs work with human nature because cybercriminal organizations have become experts at manipulating it. Executives may wonder why, if they are informed, their employees fall for all kinds of scams and phishing campaigns?

The answer, according to Carpenter, has nothing to do with how smart the employees are. The most successful techniques for breaching a system do not depend on sophisticated malware, but on how it manipulates human emotions. Attackers use natural curiosity, impulsiveness, ambition, and empathy.

Another method is the old marketing technique of offering things for free. Clickbait bulk ad campaigns can be incredibly effective and are a gateway for cyber criminals to download malware and ransomware. They promise cash, investment opportunities or just a free car wash, knowing that it is very difficult for people to resist a seemingly harmless and attractive offer.

Another rising trend is manipulating human empathy. In 2020, the FBI warned of emerging COVID-19-related fraud schemes, and in May 2022, the FBI’s Internet Crime Complaint Center IC3 warned that scammers were posing as Ukrainian organizations soliciting donations. Criminals will stop at nothing, using humanitarian crises or post-natural disaster events to fabricate social engineering attacks.

Cyber ​​criminals also create highly personalized attacks using employee information obtained through social media and online sites. Additionally, if they know an employer is responding to a manager, HR, or a company’s CEO, they will leverage that relationship and pose as authority figures within the organization. “They send fake messages from the CEO with instructions to transfer funds to a fake vendor account or lure employees into other fraudulent Business Email Compromise (BEC) schemes,” Carpenter said.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

Communication, behavior and cultural management

Carpenter explained that companies should provide their employees with ongoing safety training in three areas:

  • communication
  • behavior
  • cultural management

He shared key points with TechRepublic that leaders can use to create lessons for each section.

communication classes

  • Understand your audience and what they value.
  • Captivate people’s attention and connect them with emotions: Make your message compelling. Don’t just share facts, use stories and examples to make a connection.
  • Have a clear call to action: Tell your teams specifically what they need to do.

behavioral education

  • Recognize the gap between knowledge, intent and behavior as a reality that impacts any behavior you choose to encourage or discourage. Your team members may have the knowledge they need and the best intentions, but your ultimate goal is to influence their behavior.
  • people are not rational. We need to help them with prompts, tools and processes that make the behavior easier and feel more natural.
  • Place tools and training as close to the point of behavior as possible.

Culture management lessons

  • Understand your culture as it currently exists using culture measurement surveys, focus groups, observations and more.
  • Identify potential “culture bearers” who are equipped and empowered to support the mindset and behaviors you want to demonstrate across your team.
  • Design structures, pressures, rewards, and rituals that are ongoing and address the unique differences between different groups.

EPM and phishing simulations

In 2021, IBM announced that the average cost of an endpoint attack was $4.27 million. As hybrid working models become the norm and the attack surface expands with millions of new devices connected outside of corporate networks, cybersecurity solutions such as Endpoint Privilege Management (EPM) and phishing simulations are upgraded to respond to the vulnerabilities.

Accenture recently highlighted how EPMs could enable users to do their jobs efficiently and securely without risking security breaches. EPMs give endpoints a minimum set of privileges by removing administrative privileges from the user base and controlling which apps are allowed to run. “Only verified, trusted applications are allowed to run, and they do so with the lowest possible privileges,” Accenture explains.

Another security tool that is becoming increasingly important to identify human element vulnerabilities and plug the gaps while educating users are phishing sims. IT teams simulate phishing campaigns in phishing simulations to visualize how employees will react. This allows teams to test their security posture, identify vulnerabilities, and learn from simulations.

“Even when you have achieved transformative results, your journey rarely ends. Bad actors will continue to innovate ways to thwart our best efforts. Your response will be to constantly adapt and commit to a process of continuous improvement,” said Carpenter.

Leave a Reply

Your email address will not be published. Required fields are marked *