Cyber security is a growing problem as economies shift towards more digital and online models. The Covid19 pandemic has fuelled significant growth in internet commerce and the need for companies to enhance their digital strategies and scale their security operations to maintain cyber security.
Contrary to what you may believe, countering cyber security threats requires not only a focus on technology but also, a focus on people and human behaviour (Computer Security Resource Center, 2017).
Against the backdrop of complex and growing threats, businesses are waking up to the fact that one of the biggest chinks in their armour against a cyber-attack is their own staff. The top three cyber security fears reported by businesses are all related to human factors and employee behaviour, with the risk stemming from within the company (Kaspersky, 2020).
How Human Behaviour Increases Risk
How a user responds to a significant security event is an important consideration for an organisation’s security. For example, if someone receives a phishing email, how do they handle it? They could simply delete it, but ideally, they would report it so that appropriate actions can be taken to protect other users. Unfortunately, this is rarely the case.
While it is easy to point the finger at shifting end user behaviour, ultimately the lack of cyber security education and vigilance across the business, is creating a risky cyber environment for organisations.
Despite the huge level of media attention on the ‘WannaCry Attack’, which hit the NHS and many UK organisations, more than half of UK workers do not know what ransomware is. If end users do not know the risks and do not follow policies, it is highly likely they can fall foul to cunning threats from cyber criminals (Cosgrove, 2019).
Additionally, a rapid adoption of mobile working makes these inherent human errors more of a problem. Staff are now using their own potentially insecure devices to log on to work systems, and connect with colleagues, partners, and customers.
This means a higher risk of lost devices, weak or shared passwords, and sensitive company data accessed over insecure public WiFi. Organisations need to focus on ensuring each staff member understands the threat posed by hackers, and the benefits of keeping their company secure, not just for their own job role but across the entire organisation (Bennett, 2020).
A strong defence requires an organisational process surrounding cyber security, communication and socialisation of this process. Ideally, system design will automatically monitor emails sent to track malware and viruses as well as employee behaviour towards these (e.g. whether they click on them). This system can also be used to evaluate and qualitatively determine the effectiveness of an organisations policy and reporting process (Bowen, Devarajan and Stolfo, 2011).
Businesses should rely on monitoring tools and multi-factor security with built-in risk engines, so that they can spot unusual patterns of behaviour for logins and unwarranted attempts to access applications, to ensure they are protected if staff do experience security lapses.
Organisations should look to build a strong culture of security – a ‘human firewall’ where employees are capable of not only recognising a cyber threat but are comfortable reporting it. Creating false phishing emails tailored to each employee at scale is the perfect way to test employees’ security knowledge. Artificial intelligence and machine learning can also be deployed to detect poor security practice, whether it’s downloading files to external hard drives, sending them to personal email addresses, or accessing company data from remote, insecure devices (Bennett, 2020).
Within SMEs and larger enterprises, managers make decisions, helping businesses to adapt and grow in their respective industries. SMEs (more vulnerable to cyber-attacks than large organisations) should ensure they have managers who are specialised in IT, with a vast amount of experience in this field, to drive these changes (Ghobakhloo, Hong, Sabouri and Zulkifli, 2012).
Using change management techniques to implement the aforementioned solutions in enterprises can be beneficial as it allows organisations to assess the overall impact of a change (Change Management Coach, 2018). Stakeholders will understand why the change is necessary and what impact the change will have, which will also serve to boost morale (Bright Hub PM, 2018).
All organisations must be aware of insider threats tied to human behaviour, implement human-centred mitigation procedures, and update these on a regular basis, ensuring they are communicated throughout the company.