By Steve Durbin, Managing Director, Information Security Forum, and Forbes Business Council Member
Ransomware, phishing, social media scams, data leakage, insider threats, cloud security challenges and the majority of all data breaches have something in common: All of these rely on people serving as conduits.
Cyber scammers frequently employ human psychology in their attack strategies, thriving on basic human traits like curiosity, fear, desire, rage and anxiety. Instead of addressing this core vulnerability, organizations tend to gravitate toward technological controls to secure their networks and systems. This tech-centered mindset has the tendency to deprioritize people on the threat scale. In fact, according to a recent Kaspersky study, only 52% of businesses believe they are at-risk from a cyber attack due to the human factor.
Pandemic, Vulnerabilities And Human Psychology: The Perfect Storm For Disaster
Covid-19 has forced businesses to adopt technology overnight and mandate significant numbers to work from home. These changes have expanded the attack surface, subjecting businesses to new threats from unsecured devices, unauthorized software and cloud applications. Social distancing may also provoke feelings of isolation and exclusion. This adds to the fact that, according to Tripwire research (via IT Security Guru), security teams were already feeling overworked before the pandemic.
Other psychological factors are at play. Inherent to the crisis comes a desire to help or associate with a greater cause. Whether it’s a charity or an online affiliation, people may act impulsively without considering the implications of clicking. In a race to accelerate technological advancements, heuristics and cognitive biases come into play. These trick the subconscious mind into taking shortcuts during decision-making and into overlooking critical aspects of cybersecurity that could invariably lead to ransomware.
A Human-Centered Security Approach
The philosophy behind human-centered security is that businesses must learn to accept that humans are the weakest link to any safeguards and acknowledge that attackers devise inventive ploys to fool victims. Only by accepting this reality can businesses design an effective cybersecurity plan to overcome weaknesses. By placing employees at the center and realigning existing security approaches around them, businesses can create a strong cybersecurity culture with higher cyber resilience.
Here are eight steps to help you get started:
1. Assess your cybersecurity posture.
Take stock of how information is handled throughout the organization. Understand how various departments differ in how they value security. Is there a common culture throughout or do people behave differently? How do third-party vendors and channel partners fit into that culture? This initial review will help identify vulnerable spots and guide you in designing a plan to address them.
2. Test employee awareness.
Self-awareness is at the core of building a culture of cybersecurity. Evaluate if employees display any cognitive biases. Is any department or group more prone to biases than others? A recent poll of 2000 remote workers in the U.K. indicated that 77% of employees show optimism bias (or overconfidence) and expressed no worries about security while working at home.
3. Identify threats and probe them.
Create a prioritized list of threats and test scenarios based on those key risks. Use a third-party expert to simulate real-world attacks and evaluate if your employees fall victim. Understand how stressful environments and different levels of sophistication can impact their responses. Simulations (e.g., phishing your own employees) can help design a more targeted security awareness training program.
4. Promote critical thinking.
Start by breaking down risks instead of explaining how to cope with specific situations. If you can foster natural suspicion combined with superior analytical skills and a strong sense of personal awareness, you can equip employees with critical thinking. Critical thinking empowers employees to deal with crises and disruption and also promotes good cyber hygiene practices.
5. Review employee interactions.
Review the daily stresses that employees face, identify vulnerable spots where they are prone to manipulation and take measures to address those weak points. Contextual nudges and informative reminders can go a long way in steering employees toward desired behavior. The aim of this exercise is to make life easier for employees and eliminate any obvious systemic triggers for various cognitive biases.
6. Learn from past mistakes.
Analyzing cyberattacks that may have occurred in the past is one of the first places to start. Look for vulnerabilities and the failings of your organization. Avoid obsessing over a specific vulnerability, as this may give rise to confirmation bias. Instead, look at the whole picture and share these learnings in your training programs.
7. Re-engineer processes and conduct training.
Once you’ve got a fair idea about interactions, pressure points, triggers and past failures, restructure your processes to align with desired behavior. Ensure you communicate the importance of this change so that you have buy-in from workers. Employees must train regularly, as evidence has shown that training can reduce cognitive biases and improve decision-making.
8. Automate to reduce human error.
Excessive reliance on technology can prove to be dangerous. There will, however, be areas in the business that can be automated to reduce the risk of human error. Spam filters, encryption solutions, authentication and access rules and password management are some of the effective ways to reduce the possibility of human error. Artificial intelligence-based security tools can help monitor networks for anomalies or abnormal behavior and flag potential weaknesses for further investigation by security professionals.
In a post-Covid-19 world, the key to reducing risk and securing an environment where controls are highly limited is in the way you manage people and the culture that stems from that. Businesses that keep people squarely at the center of their cybersecurity design will be rewarded with cyber resilience.