Addressing human fallibility to create a cyber-resilient organization
By Rahini
Published on Nov 14, 2022With the rapid and constant increase in cyberattacks across the globe, most IT security leaders have one impending question in their minds: Are cyberattacks even preventable?
Over the last few years, cyberattacks have become more sophisticated. In fact, it is estimated that cyber attackers can penetrate corporate networks up to 93% of the time. With such odds in place, we need much more than just the latest security technologies to improve our defenses.
Human fallibility: The greatest cyber threat
The only way an organization can fortify itself against cyber risks is by integrating the two sides of cybersecurity—people and technology. Most organizations believe in the technological part easily. Fight tech with tech. But, we often forget that although cyberattacks are technology-driven in nature, they are eventually carried out by a human on the other side. In the end, it's technically another human being who decides to attack a network and steal the information for their gain.
Thus, the only plausible cyber defense strategy that will work is one that considers the human element. As much as we'd all like to believe that technology is impenetrable, that is definitely not the case. The most proficient cybersecurity solution will be useless if a user chooses to leave their laptop unattended or continues to use qwerty as their password. This is because humans can play a crucial role by reducing the chances of a cyberattack with improved cyber hygiene and also being "cyber aware" enough to recognize a threat when it happens.
Cybersecurity is one of those places where the ideology "to err is human" can result in damage worth millions of dollars. Thus, it’s important for organizations to develop and implement cybersecurity solutions to address human fallibility. This can be done using behavioral economics and analytics to study the reasons that drive users to make bad security decisions, like using the same password everywhere.
What CISA and NCA says
The Cybersecurity and Infrastructure Agency (CISA) and National Cybersecurity Alliance (NCA) have partnered up to spread awareness about cybersecurity across the globe. Their 2022 theme for Cybersecurity Awareness Month is #SeeYourselfInCyber, which essentially focuses on the human element in cybersecurity. It perpetuates the idea that in spite of the complexities that we may think cybersecurity is about, it's mainly about an individual's part in ensuring good cyber hygiene. They've released a set of four actionable steps that every individual must perform to do their part in creating a cyber secure world:
- Enabling multi-factor authentication (MFA)
- Using strong passwords
- Recognizing and reporting phishing
- Updating your software
At first glance, these steps might seem very basic. But if we really think about it, such simple actions, if performed by every individual, can create a powerful first line of defense against cyber threats.
Microsoft has estimated that MFA can block over 99.99% of account compromise hacks.* The reason behind this is pretty straightforward: even if user credentials are hacked or a trusted device is stolen, it becomes difficult (and at times impossible) for any attacker to gain access without the next factor of authentication enabled through MFA. Similarly, if stronger passwords are used in the first place, it becomes harder to use them as an element to perform cyberattacks like password spraying, credential stuffing, or dictionary attacks.
With 90% of data breaches caused by phishing, it's essential for users to have the awareness to identify phishing in the first place. When users are capable of identifying phishing e-mails or messages, they know not to click on malicious links. Additionally, it is equally important for users to report phishing to their IT admins so that precautionary measures can be taken to prevent them from entering the organizational network. If identified and reported, the local IT team can ensure that any communication from the same number or domain goes to spam by default, thereby reducing the chances of anyone clicking on it.
The last recommendation is for users to update their software regularly. Each time a malware or a bug is detected, the IT security and development teams work hard to launch patches or new updates to secure their applications and devices. All these efforts will be in vain if the end user does not update their software and hardware on a regular basis.
These simple yet effective steps must be followed by every individual exposed to the digital world in any way. Only with all our collective efforts, we hope to stand a chance against the overwhelming number of cyber threats looming over us.
*Do remember, even MFA isn't entirely foolproof. MFA fatigue attacks are increasingly common, wherein hackers exploit MFA by flooding a user with push notifications until their login attempt is approved.