Is it fair to keep blaming employees for cyber attacks? asks Amanda Widdowson, Head of Human Factors Capability at Thales UK.
When it comes to cybersecurity, humans are often thought of as the biggest risk. Indeed, our own research found that over the past year the leading cause of cloud data breaches was human error, at 55 per cent. With cyberattacks increasing in both volume and severity, and becoming ever more sophisticated, it isn’t right to keep putting the blame on employees. Instead, how can organisations focus on developing policies and technologies that get to the root causes of human behaviour, and are designed around the end user?
Understanding human vulnerabilities
From finding shortcuts to lengthy processes, to being too trusting and making honest mistakes, humans will no doubt continue to exhibit behaviours that put security at risk. Employees are often time and attention poor, meaning they don’t have the ability to think critically on a day-to-day basis, or when exposed to a cyberattack. From blindly accepting website cookies without thinking, to being too trusting, sharing password information, wearing clothing or lanyards in public that identifies their employer, or giving up personal information in exchange for discounts – it’s easy to see how human behaviour could contribute to an attack.
And, whilst not a direct cause of cyberattacks, different personality types play into individual vulnerabilities. For example, agreeable colleagues can be great to work with, but may in some respects be more vulnerable to cyber criminals. On the flip side, they could also be more likely to comply with cybersecurity policies, demonstrating that different personality types have a range of strengths and vulnerabilities, and their behaviours are very much situation dependent, so should be used as a guide only.
Even the most vigilant of employees can fall victim and most employees will find themselves targeted by a phishing attack at some point. Indeed, high-performing teams owe their success to being made up of a range of different personality types, so the answer isn’t to stamp out all differences, employing only highly detailed and conscientious people. Instead, organisations should focus on technological and organisational fixes. These could include giving employees the headspace to think critically, automating where possible (to take the onus off humans and prevent error), using biometrics to control access, and personalising training – so that it focuses on what matters most to employees.
Playing to individual strengths is key as well, as humans are far more flexible than technology and can apply their own understanding to situations, too.
Understanding system weaknesses
Security is made up of people, processes, and technology. While none of these areas are intrinsically weaker, for a resilient approach to security, each one needs to be invested in. Employers are beginning to understand the role that humans play here; not just their strengths and weaknesses, but the threat that even the most alert employees pose through poorly designed systems and organisational practices. To succeed in their cybersecurity approach, organisations need to design in human factors right at the very start of creating policies, processes, and projects. Here are some key considerations for getting started:
•Avoid dangerous password habits: If sharing passwords is the norm, it can be hard for less assertive employees to go against the grain. Change must come from the top and everyone needs to be held accountable for protecting their personal login details.
•Adopt biometrics: Biometrics (face or fingerprint scans) and multi-factor authentication (MFA) enable organisations and individuals to move away from passwords entirely; not only for work devices but applications, websites, and files.
•Enable critical thinking: Mistakes happen when employees are in a rush and don’t have the time to evaluate a potential threat, no matter how vigilant they are or how much awareness training they’ve had. Technology and work design (an employee’s work tasks, activities and responsibilities, and how they are organised) can address this.
•Involve the whole organisation: Cybersecurity is not just an issue for the security team. All employees need a foundational understanding of the threats, how to spot them, and what to do in the event of an incident.
•Move away from a blame culture: In the event of a cybersecurity breach resulting from human error, such as an employee clicking a link in a malicious email, the worst thing an organisation can do is blame the individual for the breach. Organisations should instead encourage and praise employees who report incidents as quickly as possible. Quick is always best.
•Investigate incidents: Following a cyberattack, whether successful or not, sharing the lessons learnt can help everyone understand the role human vulnerabilities play. Particularly important for the non-security teams, sharing examples helps bring cybersecurity to the forefront of everyone’s minds.
The final word
Despite the majority of cybersecurity breaches being attributed to human error, we can’t keep blaming employees. Instead, an organisation’s cybersecurity strategy must account for the risks posed by human and system vulnerabilities, including work design which prevents employees from thinking critically about potential threats, and the use of passwords, which are intrinsically weak, to protect sensitive data.
When it comes to designing process and technology around people, there is a trade-off between usability and security. Humans are wired to find the easiest way to do their job and, if security procedures are too cumbersome or strict, they’ll find a workaround. Good practice takes human factors into account, including consulting the end user, imagining the user journey, and minimising the possibility for error.
