Not Obvious, but the Human Element of Cybersecurity Is Improving

Posted on by Robert Ackerman

Cybersecurity pundits have long been saying that the human element in cybersecurity – fundamentally, the online errors that rank-and-file employees make and that sometimes produce a cyber breach – is by far the biggest cause of breaches.

This remains the case. But organizational cyber training and education have improved in recent years, as has communication between CISOs and rank-and-file employees and the cybersecurity guidance provided by boards of directors. In addition, simulation testing for phishing – a huge source of breaches -- is far more commonplace than it once was.

No question, the human element has been improving, say CISOs and other senior cyber pros. Still, the number of breaches said to be caused by the human element remain sky-high. Verizon's annual Data Breach Report, for instance, says that 82 percent of breaches involve the human element, spanning the use of stolen credentials, phishing, misuse and errors. For now, the upshot, overall, is that things are considered better if they’re not getting worse.

“The human element has evolved from being a department-level responsibility to a responsibility for every employee,” says James Lee, Chief Operating Officer of The Identity Theft Resource Center (ITRC), a non-profit organization that provides identity crime assistance and education and that regularly tracks the number of publicly reported breaches in the US. “Everybody today has a role to play in cybersecurity, and that is a good thing.”    

Recent breach numbers have declined mildly and the answer may be that it’s because regular employees are taking cybersecurity more seriously. Last year, according to the ITRC, there were 1,802 cyber breaches reported in the US, a decline of 3 percent from 2021. The drop-off was more pronounced in the first quarter of 2023. There were 445 reported breaches, a decline of 13 percent from the previous quarter.

A key reason why the numbers aren’t better still is that human fallibility isn’t the only reason behind breaches. Another significant issue is that the insertion of software patches to fix cyber vulnerabilities – an issue not linked to human error – tend to be processed very slowly, typically taking months.

Patch management is time-consuming. First, companies must search for the vulnerability. Then they have to develop customized software to remedy the issue, typically a mix of open source and proprietary software. Thereafter, extensive testing is required to make sure the problem is properly fixed and also that the patch doesn’t generate inappropriate changes in other places in the software pack.

“Things have started getting better regarding the human element (side of the cybersecurity quandary),” says Chris Pierson, the founder and CEO of BlackCloak, a pioneer in protecting executives from hacks and breaches digitally. “But this is not true in cybersecurity outside of the human element.”

Nonetheless, it’s good news that efforts to improve the human element now reside on multiple fronts. The federal government, for instance, is an active player in the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Awareness Program, a national public awareness effort aimed at increasing the understanding of cyber threats and empowering the American public to be more secure online – an effort that also includes state governments, industry and non-profit organizations. “Each has a part to play,” CISA says on its website.

In the private sector, Proofpoint, a Silicon Valley enterprise security company, has in recent years created two versions of its highly detailed People-Centric Security Framework (PCSF), sent to thousands of clients. Users of PCSF are strongly recommended to embrace adaptive controls to enhance client security. For example, most sizable companies typically have taken steps for some email protection, but additional controls can be inserted for employees deemed most at risk. Similar steps are taken regarding data protection, focused on heightened security for high-risk employees considered more vulnerable to insider threats.

Detailed PCSF advice even addresses cybersecurity training. Virtually all employees get training. Predictably, however, some score low on their training performance and/or appear to persist with unacceptable cyber behavior. These folks are advised to be singled out for additional training and subsequent performance review.

“This helps provide the right training at the right place at the right time,” says Deborah Watson, the resident CISO at Proofpoint.

Elsewhere, special steps are also being taken to improve security for CEOs, other C-suite executives, and some members of the board of directors, deemed overall to be up to 12 times more likely to be a target of a cyberattack. This is because their names and backgrounds are often found on websites, they have greater access to privileged information and they travel frequently, sometimes using public Wi-Fi.

Protecting them digitally, 24 hours a day, is the mission of BlackCloak. Pierson notes that 39 percent of executives who sign on to the service have been compromised in the past. He declines to say how much they’re attacked as Black Cloak customers, other than that attacks are “resolved immediately” and successfully. Clients, including members of their family, are protected at home, as well as at work, to enhance security. “We don’t want a breach there to cause a breach back at the company.” Pierson says.

Despite the improvement in the human element of cybersecurity, it’s critical to note that cybersecurity is a cat and mouse game that may never end. Hackers – just like executives and other employees -- also continually improve and evolve. “The bad guys persistently stay on the attack,” says Proofpoint’s Watson. “Companies, meanwhile, have other things to do besides security training.”

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Human Element

security awareness Security Awareness / Training data loss prevention

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs