No matter how sophisticated a cybersecurity threat is, there is a common thread we find in most attacks, and that is the human element.
When we examine recent examples of prominent data breaches, we find that human error has served as a common catalyst for each breach intensifying. The ransomware that facilitated the 2021 Colonial Pipeline cyberattack was installed after hackers compromised an employee’s password through phishing attempts. The 2022 cyberattack on the U.S. The Department of Labor utilized two methods that impersonated department email addresses, spoofing the actual address and buying a similar domain, tricking personnel into sharing information.
Whether it is clicking on a link that should not be clicked, downloading something nefarious, or other common mistakes, human performance remains the weakest piece in the cybersecurity chain during attacks.
This is a reality that cybersecurity professionals, government leaders, and C-suite decision makers face, yet the glaring challenge has been overlooked. We believe the human element of cybersecurity is worth investing in wholeheartedly.
What human-first cyber education looks like
Training is a crucial investment for any organization, but what does human-first training look like? Absent hands-on instruction, which we highly recommend, start by communicating these best practices to staff across the business and government landscapes.
- Be careful with credentials. When clicking a link and moving to a login page, do not enter any credentials. Instead, go to the login page without clicking the link. For example, when a bank emails or texts a link directing to a login page, do not enter credentials there. Instead, go directly to the bank’s website and login there instead. This same practice applies in a professional setting.
- Multi factor authentication (MFA): MFA creates another layer of defense against threats trying to log into an account. Additionally, enabling authenticating notifications through MFA will warn users of suspicious activity within an account. When this occurs, suspicious activity should be promptly reported to IT, and the compromised password should be changed immediately.
- Pick passphrases over passwords: A passphrase is a type of password that uses a series of words, separated by spaces or not. When creating a passphrase, four words should be sufficient, but five words is better. Remember to avoid common words, quotes, etc. Most importantly, use a unique passphrase for every account.
Cybersecurity education may differ depending on an organization's exact pain points, but the central focus of the human-first approach should always be protecting individual and organizational information. These tips should better position businesses and government teams to accomplish that goal.
How to run a human-first cyber plan
Businesses and governments have lately done an admirable job investing in cybersecurity tools to protect their most valuable assets, but organizations must ensure that they use these tools as effectively as possible.
Suppose a company purchases state of the art cybersecurity protection software. Is implementing this tool and trusting its capabilities enough to thwart threats? The answer is no, not without sufficient human input and oversight.
Another key consideration is, how do organizations make sure that they are testing their processes and procedures in order to verify success? Decision makers need to ensure that cybersecurity tools are monitored intently, configured correctly, and applied in a manner where their organization can best leverage the risk/return on the investment.
Many of today’s cybersecurity practices have become extremely granular, and rightly so. Yet with increased detail, organizations tend to miss the step of scrutinizing why the process is in place, why it matters, and whether it is working effectively.
Beware the trap of investing in the latest and greatest tools, without conducting the necessary human education and monitoring that those tools require in order to achieve optimal security.
Investing in humans will pay dividends
Remember, this is not just a security issue. This is a business issue.
From a consultant’s perspective, we advise organizations to assess their current risk posture and determine how to most efficiently and effectively navigate the risk environment.
Effectiveness will come from a more educated staff, equipped with the knowledge they need to limit individual and organizational cyber risk exposure.
Efficiency will result from the dividends that human education investments pay over time. Commit resources towards ensuring that personnel know their cybersecurity responsibilities, and how they can best navigate issues as they arise. While tools and technology play a critical role, the human factor is guaranteed to feature heavily in every cyber incident. The question is, how will organizations ensure that their teams are equipped to handle those incidents?
The best place to start is investing in their education.