The Harvard Business Review article (1) that cut swiftly to the chase with its headline ‘Your employees are your best defense against cyberattacks’, couldn’t have said it better. After all, it has long been established that employees in an organization can make or break a cybersecurity program, through their engagement with it. But it is the central point in the summary of the eye-opening piece, that bears scrutiny – most cyberattacks target people, and not systems.
The stats tell the story
Though the goal of every scammer is to breach an organization’s cybersecurity defense program, and thereby gain access to sensitive data, relatively more scams are affected by the bad actors preying first on human weaknesses to gain access, rather than using a direct approach that exploits system vulnerabilities.
Business email compromise, for example, was the most common vector for malware, with around 35% of malware delivered via email in 2023, and ninety-four percent of organizations reporting email security incidents (2).
But it is the alarming incident rate of human error, which many reports put at almost 95% of all cybersecurity attacks, that stands out.
Why people are targeted
Positioned at the periphery of the organization, employees are connected to the digital world via IoT devices, that generally access innumerable cloud-based applications. Their forward-facing role which involves them interacting over organizational networks, makes them the custodians and guardians of the organization’s data.
Being a custodian in the cybersecurity world however is not a mantle that is easily worn. A rapidly changing cybersecurity landscape, threats by the minute, and versatile bad actors are just one part of the challenge. The harder part lies in managing their human traits which can cause their defenses to crumble – emotions and characteristics like greed, readiness to trust, fear, curiosity, impulsive action, and more (3).
It is these weaknesses in human nature that scammers ruthlessly exploit to inflict their malicious intentions.
Other factors affecting employee interface
Emotions are not the only pain points where employees are concerned. Their actions are also affected by organizational issues, such as:
- State of training and awareness amongst employees to identify and negotiate cyber threats
- Absence of cybersecurity ownership due to lack of a spirit of teamwork in the organization
- Effectiveness of a good employee cyber threat reporting culture (4)
- Vigilance measures to thwart insider threats (8)
- Employee burnout, fatigue, and stress due to workplace pressures (5)
- Poor cyber hygiene including weak password management practices (6)
- Absence of a clean desk policy (7) that fosters a culture of safe handling of organizational data in real-time
Assessing employee cybersecurity engagement
Compliance, Human Resources, and Communications can play a role in helping the cybersecurity department determine, assess, embed, and increase the cybersecurity quotient of employees. Faced with the challenge of changing the mindset of employees who still believe that cybersecurity is not their concern and an overload of developmental programs addressing other spheres, organizations will be called to craft engaging workshops and interfaces to achieve results. Those notwithstanding, the following may also serve as a good guideline to achieve this.
- Observation as to the level of participation in training would be a good indicator of an employee’s buy-in
- Monitoring levels of enthusiasm when completing mandatory e-compliance programs would indicate interest levels
- Evaluation of participation in the organization’s reporting schemes would serve to assess employee engagement
- Employees’ contributions to the audit process initiated after a cyber incident would be indicative of the employee identifying with the process
Closing thoughts
While some cyber experts tend to look at employees as the weakest link in the cybersecurity chain, the more optimistic ones prefer to look at the other side of the coin, maintaining that employees represent an organization’s best defense. As the debate rages, it makes interesting reading to see what both employees and the organizations that hire them have to say. Where employees go, there appears to be quite some way to make up. Estimates put the percentage of employees who believe they have a role to play in the organization’s cyber posture at just 70% with only 61% saying they would report a cyber incident.
Yet many large organizations have already embarked on their journey of creating an employee-centric cyberculture, indicating their belief in them. Thought leader Gartner listed human-centric cybersecurity design as one of the major trends for 2023, with a prediction of no less than 50% of organizations adopting it by 2027. Forbes has consistently maintained that employees, given the right levels of empowerment and a cyber-aware company culture, can transform the cyber resilience quotient of the organization. Even Newsweek (9) in its March 2024 issue explains why employees remain an organization’s best defense against cyberattacks, offering tips for fostering a people-focused security posture.
Going forward, it is certain that security postures will be determined not just by the robustness of their cyber programs, but also by how effectively organizations ‘keep the faith’ in their employees, and how much self-belief the latter bring to their roles as custodians of cyber programs.
References:
- Your Employees Are Your Best Defense Against Cyberattacks (hbr.org)
- Cybersecurity Stats: Facts And Figures You Should Know – Forbes Advisor
- Social Engineering at Work – Aurora Systems Consulting Inc. (aurorait.com)
- The Importance of Employee Reporting in Cybersecurity
- The Looming Threat of Fatigue, Stress and Burnout in Cybersecurity – Aurora Systems Consulting Inc. (aurorait.com)
- PASSWORD FATIGUE – WHAT’S NEXT? – Aurora Systems Consulting Inc. (aurorait.com)
- Enhancing Productivity and Security: The Case for a Clean Desk Policy in Organizations – Aurora Systems Consulting Inc. (aurorait.com)
- The In and Out of Insider Threats – Aurora Systems Consulting Inc. (aurorait.com)
- Why Employees Are Your Best Defense Against Cyberattacks: 6 Tips for Fostering a People-Focused Security Posture – Newsweek
