Is the danger of human mistakes sufficiently taken into account?
There is a fil rouge that connects a good number of cyber-incidents that have recently affected companies world-wide: the role of human beings in cyber-security incidents. It´s no mystery that big corporations have increased their budgets for cyber-security protection in the past years. The risk deriving from the absence of such a protection is too big in terms of financial, reputational, and regulatory consequences and thus, cyber-security experts have seen their own positions within the organizational chart (and their resources) boom. The question is: did companies put the necessary effort to tackle human mistakes as well?
If big corporations have increased the resources for their cyber-security programs, it is questionable whether they have at the same time improved the human aspects of cyber-security. Judging from the dramatic consequences of recent cyber-attacks, with ransom sums being paid to cyber-criminals and/or large revenues lost due to downtime caused by malware, viruses, etc. the result is evident. Companies need to focus more on other aspects of cyber-security.
From a first analysis one might consider the investment in technological capabilities (firewalls, anti-viruses, data loss prevention, etc.) as the first, and only step in reaching a satisfactory level of security. Yet, this is not always the case. You can have the best cyber-security devices ever but if you do not adequately educate your staff and all your other stakeholders (i.e. your customers), well it is highly likely that sooner or later you´ll suffer from a cyber-attack.
Companies should start giving awareness and education the right importance. Too often, in fact, cyber-security managers see awareness programs as a tedious activity, good to thick off audit requirements. Yet, awareness is more important than that. It does not give people technical skills; it does not only train them in cyber-security competences but rather it supports them in the process of changing their behaviour, and a different behaviour might save your company from cyber-incidents. This is the first step in minimizing the human risk of cyber-security.
If you want to have reasonable expectations to survive the next cyber-security attack, you should start providing your staff with cyber security awareness based on the following steps:
Start from where you are, what are your company´s main threats (talk with your employees, they know better where threats might come from)
Try to understand why your company might be the preferred target of cyber-criminals
Is the company expected to suffer from internal or external threats?
Start considering how you want to change your staff´s behaviour (and your other stakeholders´)
Always address human vulnerabilities, not only technical. Introduce human aspects in your security programs, if you want to minimize your cyber-security risks.
Check out the videos and articles on the topic of cyber-security and cybercrime here.