As companies continue to develop and mature their cyber security defense capabilities, they may be missing a key point – addressing human behavior as a potential security threat. Nuix, a global technology company, recently released a “Defending Data” report based on findings from their third annual survey of Information Security personnel. The report shows that 97% of security executives surveyed agreed that human behavior was their greatest vulnerability . This key take-away needs to drive changes in cyber security strategy.
Some other key points from the report show that of companies which responded to the survey, cyber security is maturing as a practice. Spending is up, but more importantly spending is becoming focused. The survey asks about both current and planned spending using the NIST Cybersecurity Framework domains Identify, Protect, Detect, Respond, and Recover. When addressing data breach detection, 79% of respondents reported increased spending in the past year, and 72% indicated they intend to increase spending in 2017. Yet 52% of the respondents said prevention of data breaches was their top spending priority, compared to 42% responding that detection held the top focus. So the detect and prevent domains are garnering a large amount of the attention and spending, yet breaches continue to occur. And from media reports on some of the larger data breach events, they often go undetected for months.
The question is, how much of the prevent focus is on the human behavior aspect, since that is so near unanimously agreed to be the greatest vulnerability? When dealing with human behavior as a cyber security vulnerability vector, we are referring to employee actions that put your company at risk. While there are deliberate insider acts of corporate hacking performed by employees who deliberately seek to do you harm or steal your data from the inside, there are other risky behaviors that may be unintentional. Actions like opening malicious email attachments, following Internet links to dangerous websites, opening flash drives of unknown source or installing unverified apps or programs may be performed by employees without any ill intent, but the results can still be devastating.
Security policies and employee training are important, but it is vital that your training efforts are effective. If you are still relying on an annual safe computing policy review, you need to do more. The classic “one and done” approach only raises awareness for a very short period of time. An effective cyber security awareness program is key to addressing the human risk area. A modern training program will utilize advanced learning techniques to drive long-term behavior changes, eliminating unsafe cyber habits and reducing cyber “accidents”. Since human behavior is the “elephant in the room”, it is important that your training program delivers real and measurable results for your investment.
Simply threatening employees with disciplinary action may lay the groundwork for removal of repeat offenders, but it is not an effective training or motivating methodology for changing behavior. In the Nuix report, they noted a 15% drop in the use of scare tactics compared to last year’s report, which is seen as an indicator that it is not viewed as an effective means of motivation. You must inspire your people to build a culture of cyber awareness, and instill in them a desire to become part of a human firewall as an effective first line of defense against cyber attacks. And back that up with training that gives them the skills to cope with today’s unrelenting attacks!