Cyber Sessions: Don’t ignore the human factor in building resilience

To read this article and get more critically important news and information, check out our other security-focused posts and subscribe to Providence Business News on their website, www.pbn.com

While technology media coverage is dominated by cutting-edge artificial intelligence and sophisticated cyberthreats, it is easy to overlook a crucial weapon in the fight against cyberattacks – your people. Over my career as a cybersecurity leader, I’ve witnessed many successful attacks exploiting the human factor, and that makes companywide cybersecurity awareness and education vital in building a defense.

The statistics speak for themselves: 74% of data breaches involved a human element, according to the 2023 Verizon Data Breach Investigation Report. Human error remains a constant cybersecurity risk, but the traditional ways of educating employees aren’t moving the needle.

Executive teams and boards of directors play a fundamental role in the investment strategy of a cyber-resilient environment. While investments in technologies are important, just as much focus and investment must be placed on educating and empowering employees at every level. Cybersecurity is not just a technology issue. It is a business imperative and a shared responsibility.

Executive teams must prioritize the need for a holistic cybersecurity education and awareness program, one that is embedded into workdays and acknowledges that a well-informed workforce is the first line of defense.

On day one, new employees should undergo a short, tailored security awareness training session, emphasizing best practices, company policy, reporting procedures and access to online resources. Company executives need security programs built for them, focused on individual threats they may face. This high-touch approach ensures executives understand and prioritize the cybersecurity risks, and it needs to be an integral part of their continuous education.

Technology and highly technical employees should have security best practices embedded into their certifications and training programs, emphasizing secure coding practices, proper use of administrative and privileged accounts, and system hardening practices. Making sure those teams are keeping in alignment with corporate privacy and data protection policies is equally as important.

Let’s not forget the employees who travel. Just-in-time education for employees traveling overseas, focused on country-specific privacy laws and risks, is essential. Awareness of potential risks or technology seizures, both traveling out and upon return, allows employees to prepare for risks.

Every employee should be viewed as a cybersecurity threat detection sensor. Constant education, critical advisories, and quick and engaging video updates can help. Regular tabletop exercises and simulated assessments coupled with gamification can help keep the content fresh and relevant. The goal is to create human “cyber alarms,” where every employee is not just a user but an active player in the defense of the organization.

In the hunt for cyber resilience, we hear a lot about the adoption of “zero trust” principles. Explicit verification and the assumption of breach form the cornerstone of any resilience plan. That being said, the human factor is fundamental to zero trust, acknowledging that every user plays a role in protecting data.

The constant shift and risk in the threat landscape commands a diligent and ongoing commitment to cybersecurity education. As we invest in technology, we cannot forget that the human element remains the cornerstone of cyber resilience. It’s time for executives to lead the charge in building a culture where cyber skills are part of the DNA of every employee. By prioritizing security education and awareness, business leaders can build a fortified defense.