The Human Element of Cybersecurity

Where do Cybersecurity Risks Start?

For far too long there has been complacency about the importance of people in an organization to stave off cyber risk.

Mainly, this is due to a lack of awareness about risks and their consequences. The notion that IT and security teams, as well as senior leadership to a degree, are the only personnel responsible for managing and countering cyber perils is incorrect and fosters a poor security culture. 

While overall governance of security policies and controls rests with specific roles in specialist functions, responsibility lies with all the people in an organization.

A recent study by Verizon suggests that 74% of global data breach incidents are attributable in some way to human error. In numerous instances, individuals clicked on a link in a phishing email or fell for a social engineering campaign which exposed their user credentials or misconfigured a system.

Indeed, some of the most damaging data breaches in recent years have occurred due to human action or inaction in some cases. 

Consequences of Human Error

How significant is the impact of such human error? 

In November 2017, one of LinkedIn’s security certificates for its country subdomain expired, which resulted in the US subdomain becoming invalidated. This affected millions of US-based users and is arguably attributable to human error – failing to prepare for expiry and renewal of certificates in time, either through a manual check or automating this process.

The expired certificates presented an easy target for cyber attackers who could deploy impersonation attacks without the checks and balances being in place and could gain easy unauthorized access.

The misconfiguration of a database caused by an employee not following the proper procedure left 900,000 Virgin Media customer details exposed in 2020. The exposed data contained sensitive personal identifiable information and even though steps were taken to contain the breach by shutting down the exposed systems, the damage was already done. Virgin Media customers had their data exposed for around 10 months, leaving the company vulnerable to a potential class action lawsuit. 

Another notable example is the Equifax incident. The US Department for Homeland Security had informed Equifax of a vulnerability impacting their systems and urged immediate remediation. Although an email about the vulnerability was reportedly circulated internally within Equifax, no patch was applied. Making matters worse, the systems they used internally to scan for vulnerabilities was itself misconfigured by a technician and contained an expired certificate.

Due to these failures, hackers gained access to Equifax’s systems and maintained that access for over two months. This resulted in the breach of some 145 million individuals’ data in the US and around 15 million individuals’ data in the UK. 

Awareness of risk, a security-focused culture and timely remediation could have prevented such breaches.

Human behaviours

Faced with time pressure and competing priorities, employees often have a limited ability to spot potentially suspicious activity. This becomes a major source of vulnerability for an organization when combined with a lack of security awareness, inadequate training and a company culture that is not tuned to its security needs. 

All users have a shared responsibility for an organization’s resilience to cyber incidents and most do not realize that they themselves are one of the most important elements and the first line of defence in ensuring that resilience.

Cybersecurity training helps to increase awareness of risks and inform staff about key security policies, but it is no panacea. The most effective way an organization can mitigate the risk of cyber incidents is through a cultural shift in the way this risk is perceived.

This is not a quick solution; it takes time to achieve. It needs to be done both from the top down and the bottom up. Any organization that adopts a multi-pronged approach that combines regular user training and re-learning with testing and drills can embed risk awareness across its workforce. The latter steps can take the form of table-top exercises and simulations that test people, process and technology solutions in a similar way to a health and safety drill. 

Relying on a single method often results in inertia and fatigue, and fails to embed good cyber hygiene. This takes time and consistency, but the rewards of robust cybersecurity far outweigh the cost of such investment.

[Photo by Headway on Unsplash]