Please note: This post was written by Highlander prior to their rebrand to FluidOne Business IT - Sheffield.
Cyber risk is heavily mitigated by technology defences such as firewalls, antimalware, and intrusion–prevention systems. However, there is still a heavy reliance on human defences that is far too often overlooked. After all, making mistakes is part and parcel of being human, and a fundamental element of the learning experience. Unfortunately, when it comes to cybersecurity, being human can prove incredibly costly for businesses…
Human error is tricky to address as it encompasses a vast range of actions – from downloading a malware-infected attachment to failing to use a strong password. When you add our increasingly advanced and complicated modern work environments to the mix, it’s not hard to see why employees are inclined to take shortcuts in order to make life easier for themselves.
It’s also important to acknowledge that cybercrimedoesn’t need to be technically advanced to be successful. Social engineering is playing an increasing role in security breaches, exploiting the capability of busy and stressed employees to hand over data or credentials right into the hands of bad actors – without the need for a single line of malware to be written.
Businesses need their personnel to be vigilant and security smart; able to spot and avoid risks as they appear in their inboxes and web browsers. And while there’s an abundance of technology available to counterbalance human error, it’s definitely not infallible. So, the question is: how good is your human firewall? And more importantly, how do you measure its efficacy? Enter cyber risk testing and awareness training.
From Microsoft to KnowB4 and Mimecast, there are plenty of platforms that will convincingly simulate an attack that has ‘breached’ other technological defences in order to test how much you can rely on your people to appropriately identify and avoid cyber criminality. The user population can then be scored and risk assessed to reveal where the most vulnerable personnel exist and who to target with training to shore up your human defences. Campaigns can be activated as frequently as required and even targeted towards the lowest-scoring personnel to see if you’re moving the needle on their cyber awareness.
Of course, this also raises the matter of training. For all employees, continuous training injects cyber threat vigilance into daily routines. Building understanding on latest social engineering techniques, common intrusion tactics and hazardous personal habits makes them savvier as human firewalls. And while cyber risk is a dry subject at the best of times, leading vendors such as Mimecast have adopted an engaging, humorous approach to their training videos, helping ensure messages of risk hit home in a memorable and ‘watchable’ way. Other vendors have adopted gamification approaches to try and penetrate the employee psyche with the importance of cyber risk.
Aside from the obvious benefits of cyber risk training, there are in fact other factors at play which could (and should) encourage you to focus more heavily on your human defences.
More businesses are considering cyber risk insurance, and insurers such as Hiscox are making a lot of noise about their cover given the rising trend and frequency of attacks. However, cyber insurers will penalise (or even worse, refuse to insure) businesses that can’t demonstrate they have taken care of this vulnerability.
More businesses are seeking to achieve cyber accreditations such as Cyber Essentials to demonstrate their cybersecurity commitment to their customers and suppliers. Cyber Essentials is a government–accredited scheme – the advanced version of which demands that human risk is adequately accounted for and regularly tested to achieve and maintain the accreditation.
Human error is one of the biggest risks threatening businesses today, contributing towards an estimated 95% of cybersecurity breaches according to the recent IBM Cyber Security Intelligence Index Report. However, it is arguably the easiest to prevent. By comparison, taking care of human risk is proportionately better value for money than investment in many other cyber technologies, and makes most fiscal sense as part of a cyber risk strategy.
Building a pervasive culture of cyber readiness expands organisational resilience manyfold. Get in touch with the experts at Highlander to discuss shoring up your human firewall and formally recognising your efforts to combat cyber threats.