Want to reduce your people based cyber security risks? Think beyond just awareness and training
By Horatiu Petrescu, Security Consultant at Aura Information Security
When it comes to business cyber security, people-based risks are top of mind. From inadvertently clicking on phishing links, to using weak passwords or not activating multi-factor authentication, people carry a significant risk of granting system access to cyber criminals.
The majority of business leaders surveyed in Kordia’s recent NZ Business Cyber Security 2023 report say mitigating the human element is a top security challenge.
Survey findings show concerns are valid – phishing still accounts for the lion’s share of cyber incidents at 38%, and internal actors (employees accidentally or intentionally exposing the business) made up 23% of all incidents.
But these risks aren’t new and most large businesses say they have some sort of cybersecurity training in place. So why do these issues continue to persist? Is it possible for organisations to eliminate the cyber risk posed by their people?
I've studied research at the intersection of behavioural science, psychology and cybersecurity over the past 5 years. As a full-time cybersecurity professional, I’ve observed the human risk trends and gathered real-world customer experience.
What I’ve come to understand is the situation is far more complex and nuanced than most people realise, and a quick fix isn’t the answer.
Why security awareness has limitations
Many employee cyber security training programmes focus singularly on creating “awareness” of good cyber security practices and threats. While there is nothing wrong with this approach, it does have limitations.
Whilst it’s valuable to teach people how to spot a phishing email and to use strong passwords and MFA on accounts, this won’t eliminate all risk.
No amount of training can completely change human nature. Facts don’t change our minds and knowledge doesn’t guarantee behaviour. As many a CISO can attest, you can share infinite amounts of knowledge, but if people don’t care enough about it, they simply won’t do it.
While there are various behavioural science strategies an organisation can implement, awareness programmes are no silver bullet when it comes to eliminating all cybersecurity human errors.
The complex and ever-growing digital landscape also makes it difficult for people to understand and navigate technology securely, let alone configure it without making mistakes and causing incidents.
Cybercriminals are constantly improving techniques, using increasingly sophisticated approaches to target individuals and organisations. Even age-old phishing emails have evolved into well-crafted smishing (SMS message phishing) and spear phishing attacks that can be nearly impossible to distinguish as a scam.
A new paradigm – Human centred design
Using behaviour change to influence how people interact with technology is only addressing the symptoms, not the main cause, when it comes to managing human risk.
A more effective approach to cyber security is to recalibrate the focus, instead concentrating on refining how we design technology to work securely for human interaction.
This human centred design addresses how people think, behave, and interact with technology and weaves it into how software and applications are built.
By designing technology for humans, we create both secure and user-friendly technology. Additionally, this approach prioritises usability, making security features intuitive and easy to use.
Of course, redesigning technology takes time to implement. So, while it’s worth embarking on the journey, it won’t immediately solve cybersecurity risks.
What should businesses do now?
If I could give one piece of advice to businesses looking to reduce their human cyber risk, I’d recommend taking a holistic approach to security awareness.
Organisations need to make it simple for employees to follow security best practice while completing their daily tasks with minimal interruption.
This could be removing obsolete rules and terminology from security policies, changing cumbersome processes, or offering support to download tools like password managers and showing how to configure them.
Culture is an important aspect often ignored. It’s crucial in shaping an individual’s attitude towards security. An organisation’s culture sets the mood, defines openness in sharing successes and mistakes, and shapes the beliefs and attitudes that influence how people act. It’s essential to consider culture when designing security awareness messages, as people tend to respond better to messages that align with their values and beliefs.
For software development companies, applying human centred design in their software development life cycle means ensuring a usable by design approach.
Through better collaboration between developers, user experience (UX) designers and security experts, usable security can be integrated into software design and create applications which consider human needs and limitations.
I’d like to see organisations build usable security awareness within their software development practices and impart knowledge to those involved (software developers, UX designers, and stakeholders). This will help to ensure technology being developed is user-friendly and that security measures are tailored to the way users think and behave.
There’s no single solution when it comes to embedding good cybersecurity practices. Once we move away from historical thinking that an employee cyber training programme is sufficient, we can start tackling the issue more effectively.