Why People Must Be Your Strongest Line Of Cyberdefense
CEO and Co-founder of Living Security, turning people from cybersecurity risks to strengths.
If you ask business leaders what their companies' greatest assets are, a few might boast about their products or their intellectual property, but the vast majority will tell you their greatest assets are their employees. It's the people who actually power the business, after all. There is no product or IP without people to create them.
And yet, despite this strong belief in their teams, so many business leaders still treat their employees as a weakness when it comes to cybersecurity. They give them the bare minimum of security training, doing just enough to check the compliance box. They employ zero trust protocols that lock down every piece of corporate data and require employees to enter (and re-enter) their credentials every time they need to access something.
In their defense, people are part of the problem:
- Human error is the culprit in 60% of data breaches in the U.K.
- In 2020, more than 70% of all organizations experienced malware spread from one worker to another.
- Google found 52% of people reuse passwords on multiple accounts, and 76% of employees in the Fortune 1000 reuse passwords across personal and professional accounts, according to SpyCloud.
I get it. If you're a CISO, you see those numbers and think you have no choice but to lock everything away. People are vulnerable to attacks, but it seems like many businesses have just accepted that employees are a weak point that can't be strengthened.
But it doesn't have to be that way. I see those numbers as evidence that traditional check-the-box security awareness and training programs don't work. They do nothing to create a lasting, positive security culture within the organization, and that is what is really needed for enterprises to turn the tide against cyberattackers. Rather than accept people as a security weakness, organizations need to make them their strongest line of defense.
The urgency for this has never been greater. The Covid-19 pandemic forced offices to close and employees to work from home, outside the company's cybersecurity perimeter. That has created an intermingling of work and personal devices and accounts that put both the employee and business at risk. As more and more companies announce plans to make remote work postures permanent, their people will increasingly be on the front lines. Business and security leaders owe it to those workers and their companies to arm them with the knowledge to be successful and secure.
Simply providing annual or quarterly security awareness training isn't going to cut it, and fortunately, CISOs are increasingly realizing that. In the January report "How To Manage The Human Risk In Cybersecurity," Forrester analysts wrote, "CISOs now recognize that this focus on creating awareness falls short of changing long-lasting behavior and that they need to shift the focus to the humans on the receiving end of these programs. Organizations with strong security cultures have employees who are educated, enabled, and enthusiastic about their personal cybersafety and that of their employer."
Developing a strong security culture starts at the top with executives setting a good example. They need to make it clear that security is a business enabler, not a nuisance. In too many organizations, security is an afterthought. It only comes up when it's time for the eyeroll-inducing annual training or, unfortunately, when someone messes up. Mistakes will happen, but leaders need to use them as opportunities for learning rather than punishing people. It's not fair to blame employees for falling victim to a criminal if you haven't prepared them for what to do when they face a threat.
A security-minded culture doesn't need to replace things like firewalls, malware detection or even zero trust policies, but it can complement them. When people are properly trained in cybersecurity and know how to prevent phishing, they will identify red flags that technology missed. As a business leader, it's a no-brainer that you'd rather reward your team for avoiding an attack than punish them for falling for one.
Employees are already on the front lines of cyberdefense. What we've been doing so far—minimal training and letting people think security is just an IT responsibility—has clearly not worked. The hackers are only getting more innovative and more creative when their attacks. It's past time businesses match them by empowering people to be a strong line of defense.