When it comes to cybersecurity, employees are often seen as the weakest link
Not only is this mindset bad for employee engagement, but it also contributes to complacency and the idea of ‘us and them’ regarding the responsibility of protecting organisational assets.
When it comes to cybersecurity, employees are often seen as the weakest link. Not only is this mindset bad for employee engagement, but it also contributes to complacency and the idea of ‘us and them’ regarding the responsibility of protecting organisational assets. It’s the security professional’s task to engage and empower people to become the company’s strongest asset.
The perception that people are the weakest link comes from a traditionally technology-led security culture. Many organisations invest heavily in cybersecurity programmes, and technology is the most common starting point. Like technology, people also store, process and transfer information, yet we as security professionals often fail to invest in ‘patching’ the human part of the process. Like any other operating system, we also need to continually update our ‘human firewall’. If people are the weakest link, it’s because we’ve failed to secure them.
But it seems things are changing in the right direction. The issue of humans as the weakest link isn’t because people are stupid or not interested in security, but because they lack proper training and support. Yes, people have to take responsibility, but they also have to have the confidence that education and technology are available to help them. When employees are trained as to why security matters, both to themselves and their employer, when they understand how they can better protect themselves, most will do what they can.
Remember the Bangladesh Bank heist in which $80 million was stolen? Media coverage made the bank’s poor technical security the centre of attention. The hero of the story was actually the analyst who discovered a typo in one of the hacker’s transactions, and stopping an $80 million theft from becoming a $1 billion one. He was a cyber hero, a person who did what he could. But despite his ‘heroic’ act, the technical side of the story remained the focal point.
Most organisations are well-protected against technical malware and threats, but not against ‘human malware’ like curiosity, ignorance and information fatigue. By striking a balance between the technology infrastructure and a people-oriented security approach, security professionals will be better able to manage the risks facing their organisation. When done effectively, it’s possible to go from simply managing risk to creating your own powerful army of cyber heroes.
To change and secure human behaviour, you need to invest in it as you would in any other part of your security programme. Traditionally more tech-savvy security teams are now also recruiting complementary skills and capabilities, like communications, change management, learning theory and behaviour modelling. The result? Staff are more likely to take greater security measures, a positive move in an environment of increasing cyber risk.
To build a security-conscious workforce within your organisation, focus on key security practices that people can easily perform. Make them easy to understand and implement. While awareness and training are important, it’s also essential to find ways to foster good security practices and to create a culture of cybersecurity. This can be achieved by implementing good practices supported by consistent communication, combined with the right technology and processes. It’s about effectively changing security behaviour.
Technology will evolve, threats will come and go, but humans are the constant in the equation. Investing in the effective engagement of employees and creating a security culture is a worthwhile investment in any security programme.