Given that cybersecurity has significantly improved on multiple fronts in recent years, it would seem that cyberattacks and breaches should have been at least somewhat mitigated by now. Unfortunately, this isn’t the case. Last year, according to the Identity Theft Resource Center, there were 3,158 US data compromises in 2024, only 1% less in comparison to 3,202 breaches in 2023 – the biggest number of annual breaches ever.
Let’s consider what is going on. Cyber training and education at organizations has improved in recent years, as has communication between CISOs and rank-and-file employees and enhanced cybersecurity guidance provided by boards of directors. And simulation testing for phishing – a huge source of breaches – is far more commonplace than it once was.
There have also been inroads by artificial intelligence, which among other attributes is cyberthreat protection, plus a slew of proactive security measures and heightened threat detection. This includes anomaly detection, behavior analytics, and predictive analytics, which can help predict potential future attacks and vulnerabilities by analyzing historical attack data and current trends.
These actions are commendable but sorely undermined by the human factor. Employees, constantly attacked by hackers, are expected to be on the ball regarding cyberthreats, mostly to prevent attacks and breaches in the first place. In aggregate, whatever they’re doing is insufficient. Despite somewhat better training, cyber pundits say 75% to 95% of breaches are due to human errors -- the same as what was said years ago.
Among these sources are Mimecast, which says humans are 95% of the cyber problem. Other sources say human breaches range from at least 75%. These include IBM, cybersecurity firm Proofpoint, the World Economic Forum and cyber experts at Stanford University.
What needs to be done boils down essentially to two key requirements. One is that far too many organizations rely mostly on company-wide cyber videos, followed by simple comprehensive quizzes. The allure is that videos can easily be distributed to a large number of employees across different locations, creating a scalable, relatively inexpensive training method.
Watching videos is often a passive activity, however, one in which employees may not actively engage with the material. There is also a lack of real-world application. Videos and simple quizzes often lack the critical thinking needed to identify and respond to real-world cyberthreats. Some organizations do provide updated and interactive cyber training as often as monthly or quarterly, but they are in a distinct minority.
The other requirement is the need for recent, so-called human risk management, which seeks to understand the human risks within a company and then tailor security training to reduce these risks. Most security training still treats every employee the same. This is a problem because some users are highly adept at recognizing threats quickly and others are not. Some are particularly weak at this.
Accordingly, a human-centric security approach should begin with a detailed understanding of the organization’s risk distribution. The initial step is pinning down employees most at risk. As it turns out, studies by Mimecast have found that only 8% of employees cause 80% of incidents, and many of these are repeat offenders. Select individuals are also targeted more frequently due to their prominence. Mimecast, for instance, says that managers receive on average 2.5 times more phishing emails than non-managers.
Less important but still meaningful are other cybersecurity issues. One would be finding a way to speed up software patches, which often take months to be fixed, unnecessarily opening the door to an attack. Another issue on this front: While big companies mostly take charge of addressing the patches, this isn’t the case with common BYOD policies. Companies typically expect employees in this camp to take charge of keeping their personal devices updated with the latest security patches. Not surprisingly, BYOD employees are often slow to make the fix or sometimes sidestep the process indefinitely.
In addition, some employees question why AI isn’t accomplishing more than they think it should regarding cyberthreats. Theoretically, for example, supervised machine-learning algorithms can classify malignant email attacks with 98% accuracy. What is often unmentioned is that erroneous data is common. Much of so-called training data requires human labeling, prone to mistakes. It doesn’t take many blunders, it turns out, before AI’s accuracy declines sharply.
So, succinctly, how can organizations build a better culture of cyber resilience, particularly given the issues of the human factor? Here are some tips:
+ Better Security Awareness Training. Continuous education is paramount in equipping employees with the knowledge to identify and counter cyberthreats. Regular training sessions are needed to cover topics such as recognizing phishing attempts, securing sensitive data, and understanding individual roles in maintaining cybersecurity. Interactive methods, such as phishing simulations, can also help employees become better guards against fraudulent intervention.
+ Empower Employees to Report Risks. Establishing a non-punitive environment in which employees feel comfortable reporting suspicious activities is crucial. This means they can report issues without fear of repercussions, thereby fostering a proactive security culture.
+ Leadership Involvement. This is fundamental to embedding cybersecurity into the organization ethos. Leaders must exemplify security-first mindsets by prioritizing cybersecurity in decision-making processes and modeling best practices.
+ Cross-Functional Collaboration. Cybersecurity should be a collective endeavor that transcends department boundaries. This ensures that security considerations are integrated across the organization.
The upshot of these tips and others is that focusing on behavior change, not just knowledge retention, is imperative. This creates a culture of shared responsibility. Also critical, of course, is continuous improvement and adaptation, regularly assessing the need for updated security policies.