I remember attending a university lecture in 1983 and being told that IT was going to get easier and that AI was going to replace humans. Any time now, they said.
Well, here we are forty years later and IT is as complicated as it’s ever been, and those pesky humans are still around. Granted, AI seems to have broken out of its ivory tower in the last couple of years, but we still have some way to go before those living, breathing people are no longer key to running businesses worldwide.
The Human Challenge
From a cybersecurity point of view, this reliance on humans gives us a challenge for a number of reasons:
People are great, but they can be unpredictable. Employee performance depends on a vast array of changeable factors, such as coffee, hunger, energy levels, mood, sleep and motivation to name but a few, and if these are combined, people can make mistakes.
We really need them to know relevant stuff. When humans are delivering vital aspects of your business processes, they need to be aware of a scary number of issues such as privacy law, technology, policy and procedure.
Sometimes they are easy to fool, if you’re sneaky. People like to trust people. We’re not a naturally suspicious animal and so when someone tells us something, our default reaction is to take it at face value.
They often have access to lots of valuable data. Because humans are key to getting things done, they need to have the necessary tools to create, delete and change things. And usually this power increases the higher up the organisation tree you look.
Given this combination of factors, it’s no surprise that people are often the target of those looking to harm the organisation in some way, whether their aim is to hold it to ransom, steal data or sabotage it.
Why Should an Organisation Care?
A number of things can happen when people either don’t do something they should have done, or do something they shouldn’t have done.
The law may be broken – regulations such as the GDPR and HIPAA have strict requirements regarding how personal data (including health data) must be handled, and someone who isn’t fully aware of these can drag the organisation into non-compliance, resulting in complaints and possibly fines.
Mistakes can happen – one of the most common causes of data breaches is a person simply getting it wrong. They don’t mean to slip up, but sending data to an incorrect email address or including hidden data in a spreadsheet happens all the time.
They let others in – clicking on a link in an email or resetting a password on a bogus website can open the door to malicious people who will do massive harm to the organisation and its reputation.
Policies are not enough
The rules regarding how things should be done are usually set out in a collection of policies, on subjects such as email, Internet usage, social media and mobile working. This is a good thing, because it shows that the organisation has thought about the topic and taken the time to define its approach. However, a policy has little or no effect if it isn’t communicated properly to the people who are supposed to follow it. This means new starters as well as existing employees, and don’t forget that any changes to the policy will need to be re-communicated too.
People are different, and they forget
It’s no exaggeration to say that everyone is different, and that (for reasons we explained earlier) they vary a lot from day to day. The human brain is a marvel that is capable of remembering an astonishing variety of facts but sometimes old facts get pushed out over time to make way for new ones. So expecting an employee with a busy life to retain the rules about using WiFi outside of the office forever is probably unreasonable. This means that key messages need to be repeated at regular intervals to ensure that they become as entrenched as possible in the face of competition.
Levels of existing knowledge will also vary widely, so it’s helpful to be able to tailor your messages according to the areas that are weakest, whether that’s data protection, cloud security or social media. This kind of tailoring is often referred to as “Human Risk Management”.
Security Awareness Training
To keep these lovely people, who do such a great job of running your organisation, focussed on information security issues is a tough job. You’ll need to approach the problem from a number of different angles and you’ll need to be persistent.
We recommend the following methods:
Assess each person first, to find out what they already know, and where the gaps in their knowledge are.
Provide regular awareness training activities, such as short videos, that focus on the areas of greatest need for each person.
Check understanding with a short test after each video, and keep track of the results.
Once you’ve created your topic-specific policies, communicate them over time to each person that they are relevant to, and get them to electronically sign to say they have read them.
Monitor the effectiveness of your efforts by simulating phishing emails to see who still clicks on the links or provides their passwords. Provide extra training resources to those that do.
Our Cyber Awareness Training Platform automates all of these functions so you don’t have to worry about it, simply subscribe your employees and the platform will deliver the training and provide real-time progress reports.
Don’t forget that awareness training is a requirement for many standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework, so it’s important to get on top of it.
Summary
Humans get a bad press sometimes as “the biggest risk in information security” but let’s not forget that without them organisations would struggle and, until AI fulfils its promise fully, we should celebrate and appreciate them. That’s not to say that we shouldn’t also implement as many controls as we can (such as email filtering and awareness training) to make it less likely that their mistakes will result in a cost the organisation.
But for now, it’s all about awareness.
