It’s a known fact that people are prone to making errors. It becomes even more likely that they do that when attackers use social engineering tactics.
In our previous article, we explained the human error and human risk. In this one, we describe the connection between social engineering and human risk, how companies address the hazard their employees mean for their operations, and how one could tackle and reduce human risk.
Social engineering and human risk
Today, companies are secure on the technical level, so criminals are looking for an easier way to access your resources.
They rely on human psychology, as we just explained. To push people to make errors, criminals also tap into their emotions, such as curiosity, carelessness, urgency, and fear.
They know that one employee error could be enough to carry out a successful attack, especially if some technical defenses are also missing. People’s careless actions or the fact that they are uninformed are the second most likely cause of serious data breaches, right after malware, according to Kapersky.
Social-engineering attacks are also becoming sophisticated. In a recent podcast of Ann Johnson on human risk, Rachel Tobac (Social Proof Security San Francisco) mentions that there are lazy attacks (that most of us can easily spot), and there are also extremely well-planned attacks that could take even up to 100 hours to prepare and execute. Long gone are the days when it was easy to spot a phishing email. Nowadays, you really need to stay alert and think critically to spot a difficult attack. Our latest analysis on why 20% of GitLab’s employees failed the phishing test is a good example of this.
Human risk in the organization – do companies address the risk in the right way?
Without adequately addressing the human element, the cybersecurity strategy cannot be complete. While we have seen that there is an increasing demand to address human risk in the organization, companies sometimes still focus on the wrong things.
To build actual resilience, changing the behavior of the users is a must. People must be trained properly to acquire the skills to take the right action. A lot of companies fail to address the necessity of a security culture where security teams and people cooperate so that assets can remain safe.
What do companies do today to increase their resilience?
- They rely on policies that are impossible to enforce, especially when the employee count is over 1000.
- There’s too much focus on creating awareness. It’s not enough to know that there are threats. Attack types are quickly evolving, and employees cannot be prepared without proper training.
- There’s so much negativity around security. Those that fail could face punishment. This results in the ‘hide-and-seek’ problem. If you don’t know that something happened, you cannot start working to fix the issue.
- Training is lacking in practice. There’s a difference between knowing what to do in theory and being able to do it in real life.
How does one tackle human risk?
Find the right balance between policy and engagement.
Make sure people are aware of your policies but find ways to engage them through training so that they have practical experience as to why security is important – not just at the workplace but also in their personal lives.
Raise awareness, but also remember to motivate people.
They need to know the ways attackers could target them, but posters and training videos won’t make them care or know more. Motivate them to acquire enough knowledge and skills to make the right decisions and actions when they encounter threats.
Have all the tools available and up to date as a second barrier of protection.
Sometimes, no matter how good of a job you did, credentials will leak out. Make sure that you provide the tools for people to use strong passwords, enable 2FA, use email filters, make reporting of errors simple, etc.
Foster positivity around security.
Negativity and punishment may result in people becoming more resentful towards security, or, for example, they could be hiding an incident (when they clicked on the link or downloaded something they shouldn’t have). Positivity in cybersecurity training should be a concern of top management and the HR department. It does add a layer on security when you know that you can count on the cooperation of your employees because they do not need to fear getting punished.
Provide engaging, practical, and motivational training.
Frequent practice is the key to successful behavioral change. When we talk about behavioral change in regard to employee security awareness training, we mean that people would acquire the knowledge and skills to act immediately when they face threats, minimizing the chances of making an error. When people recognize threats and learn that it’s valuable information for the security team, they will start reporting it – assuming that the reporting process was made simple enough.
Employee experience is also an important factor of successful behavioral change, so make sure the training you provide is something that people want to use and feel motivated to participate in.
You cannot completely eliminate human risk – but you can reduce it
There is no guaranteed protection against social engineering attacks, and you cannot completely eliminate human risk; people will continue to make errors. Nevertheless, you need to have a plan on how to engage your employees so they would support your defense strategy. Provide them with the tools, knowledge, and skills they need to take the right action and help reduce opportunities for breaches to mitigate human-related risk.