A survey conducted by the British government shows that, in 2022, 39% of businesses identified a cyber-attack. This excludes the businesses that were attacked and stayed unaware of the potential breach and damage.
With this being over 1/3 of UK businesses, it raises the question – what can we be doing better, to protect ourselves, our data, and our clients?
In such discussions, the term ‘Human Factors in Cyber Security’ arises. This topic focuses on how employees in a business interact with systems or other humans and take actions that can either have a positive or negative effect on the overall security posture of a company.
With unique processing, intuition and actions, employees with the correct intentions will always act upon the information and skills that they have been provided and perceived to be right. Sometimes, this can lead to human error.
Humans: the Weakest Link?
It is very common to see expressions like ‘Humans are your weakest link’ when discussing this topic, which in the eyes of statistics, they are. IBM states that 90% of cyber-attacks are made more accessible by human error, which is a startling statistic to read.
However – you can’t point blame to an employee who has clicked on a phishing email, with no training to guide them otherwise, or to an employee who hasn’t updated their software, with no policy stating how and when to do so.
Therefore, a more accurate way to look at this topic would be as follows:
‘Humans can be your weakest link, but they can also be one of your strongest.’
This depends on how much time and dedication is given to providing Cyber Security fundamentals training and whether an organisation recalls and revisits these topics.
In this blog post, we will explore the potential instances of human error, why it happens, and what you can do to ensure your employees are your strongest link, not your weakest.
The Human Element of Cyber Security
According to the UK government, 51% of businesses have a cyber skills gap, with 21,600 new recruits needed each year. In a hacker’s eyes, this is 21,600 more opportunities to exploit your systems. By taking advantage of human morals and initiative, they will look to exploit employees in any way they feel is possible.
This is known as social engineering, and it’s a very common practice seen by hackers. It’s important to be aware of it, know how to spot it, and how to avoid it.
What is Human Error?
Human error is an action taken by an employee, deliberate or not, that has negative consequences on the company. Examples of such consequences may include:
● Data breaches and leaks that result in hefty fines and a loss of reputation and trust.
● Security breaches that see bad actors enter systems and exploit known and unknown weaknesses.
● Incidents such as ransomware attacks.
Small error? Big consequences.
Common Types of Human Error
Within social engineering, there are a number of ways a hacker can lure an innocent employee into making errors. Common tactics include playing upon their morals and instincts and using personal information to a disadvantage.
As mentioned, we cannot blame an employee for clicking on a phishing link if they have received no training. A trained employee would know the signs that suggest the email is illegitimate, and immediately report it to the IT team. This is an example of a strong link.
An untrained employee would click on the link in the email – constituting human error – and potentially give a bad actor access to business systems. Here, the actor could take advantage of other weaknesses and exploits that haven’t been patched, depending on their end goal.
Password policies are also subject to human error. Following password policy is considered a basic security practice, especially when sensitive data is involved, but it is very easy to ignore or get wrong. Weak or default passwords are easily exploited by brute force attacks. It is the responsibility of the employee to ensure their password meets the expected standard set out by the company password policy.
A successful brute force attack could give unauthorised access to a system, but this is not the only possible attack they may deploy. Shoulder-surfing and tail-gaiting are techniques used to gain access to sensitive locations or data, both of which are examples of social engineering. The human error would be ignoring policy to carry out a ‘good deed’, or failing to consider the privacy of their work in a public setting.
The Psychological Factors
There are many reasons human error occurs – one significant one being psychological factors. In many cases, psychology plays a huge role in Cyber Security and the actions we take. It is important to be knowledgeable on this in order to understand the best mitigations to put in place.
One of the most prominent psychological factors seen in the workplace is cognitive bias. This is our inability to process something objectively, leading to occasional rash and negative decisions.
Specifically in Cyber, there are 4 which you should be aware of:
● Decision fatigue – Being in a fast-paced or highly stressful environment can become mentally fatiguing, meaning employees forget basic security practices.
● Anchoring / Choice overload – Becoming biased to the first reasonable suggestion that will help you move on with a task effectively, but overlooking important factors.
● Affect Heuristic – Becoming overloaded by emotions, meaning that if we take a liking to somebody we are more likely to follow their lead.
● Herd mentality – If they are doing it, then I can/should too!
Alongside these cognitive biases also sits complacency. The self-satisfaction gained through feeling as if you are doing the right thing, whilst being ignorant towards the dangers possible, positively affects our emotions. Therefore, to reach happiness in the short term, employees may become complacent in their work.
A clear linking factor is a highly stressful or unhealthy working environment. With more encouragement, time and support, employees are much less likely to conform to these cognitive and complacency factors, meaning they are able to make much more considered, sensible responses. In turn, this will shape them as strong links, encouraging a stronger security posture.
Cyber Security Awareness and Training
Another of the top human factors in cyber security to consider is Security Awareness Training.
Designed to inform employees what cyber security is, and how they can improve their everyday practices, it is a crucial part of ensuring a strong cyber security posture and environment.
Training sessions are completely unique and work for different companies in different ways. Companies with very little cyber threat knowledge may choose to do in-person sessions, leaving room for advice and questions to better understand the topic. Others prefer online courses and interactive videos.
Cyberfort offers an incredible Managed Security Awareness training program that stimulates phishing, vishing and smishing emails. With numerous templates and consistency, this gives you feedback on how your employees perform and highlights areas to address in the future.
Managed Security Awareness training is an absolute non-negotiable for your digital strategy, to ensure that employees are thoroughly knowledgeable on cyber security fundamentals. These training sessions should be at least annual, and the content ongoing and updated frequently, encouraging long-term memory retention, and a natural instinct to follow best practices.
Technology Solutions to Mitigate Human Error
Alongside ensuring a positive learning environment and frequent training, we encourage companies to put in place technical defences to encourage best practices.
To counteract any weak passwords or software that does not enforce a password policy, multi-factor authentication should be used. While this is not foolproof and can still be subject to social engineering attacks, it adds an extra layer of defence in the unfortunate event that a password is guessed.
A password can only ever be as strong as how it is stored, so password managers should be encouraged. A common reason for weak password management is the worry of being unable to remember it – so providing a solution is likely to encourage much better practice now and in the future.
However, much of the time, IT departments are overrun with responsibility and struggle to keep on top of their employee activity, as well as ensure the full functionality of the company and its systems for their clients.
With this in mind, SIEM solutions, such as the solution offered by Cyberfort, automate the process of activity monitoring and flagsuspicious activity using advanced threat intelligence and previous data sets. Considered a full package, SIEM prioritises crucial alerts, so less time can be spent worrying about security, and more time spent further advancing the business.
Creating a Security-Conscious Culture
Circling back, it is crucial to encourage an environment where best practices are taught, learnt and practised. Biases such as herd mentality will further encourage a stronger security posture and a positive culture if human factors are being actively discussed, and employees feel comfortable to contribute and ask questions.
In doing this, the aims and values of the company will naturally reflect into business calls, which is critical for consultants who are onboarding new clients. Not only does this benefit the business, but it also positively encourages clients to follow the same suit, exploring the human factors in cyber security and limiting their effects.
An example of such a culture can be found in one of our case studies – DealTrak worked with Cyberfort to review its most crucial areas of data protection and their overall processes. The leading transaction platform gained a more thorough understanding of how they handle their data and implemented strategies for improvement.
Incident Response and Continuous Improvement
Despite all the advice and training possible, everybody is likely to fall victim to a cyber-attack at some stage in their lives. Situational factors such as tiredness, the increasing sophistication of attacks and unexpected events all play into the effectiveness of attacks. Therefore – it is always sensible to plan for when it happens, and not if it happens.
Incident response plans are the best mitigation for this, and can be developed and improved over time. If the business has experienced past related incidents involving cyber-attacks or human response, these can be evaluated and reflected upon to put the best plan forward for any future activity.
This post-incident analysis and corrective actioning are vital to understanding where the team could have performed better, and what limitations were identified that can be mitigated against next time. Such processes play a significant role in the Cyberfort Managed Detection and Response service, so you can continue to protect your most crucial assets in real-time.
How to Protect Your Organisation
Human factors in cybersecurity contribute significantly to the overall security posture of your company. A company’s digital strategy should hold a dedicated section for frequent security awareness training and research. Learn how to make your employees the strongest links, and not the weakest.
It is crucial to understand the technical and non-technical solutions available to you, in order to mitigate against the threat of human error. Promoting a positive work environment and conscious security culture is likely to encourage behaviour that is more naturally security aware, which will enhance the effectiveness of the training provided.
Technical solutions add further layers of defence to company systems, protecting you from sophisticated attacks. The Cyberfort Managed Security Awareness Training offers top-level protection, and you should automatically enable multi-factor authentication on all work devices.
To find out more about the human factors in Cybersecurity and how to protect your organisation, contact Cyberfort, and a team of experts will be on hand to support you through your journey.