Cybersecurity: Your Human Risk Is Greater Than You Think

Your organization’s leadership team places a high priority on security initiatives. Your security team uses firewalls, penetration testing, and other defensive and offensive methods to keep your technology and data secure. Your employees even complete an annual security awareness training to maintain security compliance.

But your organization is still breached. Where did you go wrong?

Most likely, managing your human risk fell short. According to the 2021 Data Breach Investigations Report (DBIR) from Verizon, 85% of more than 5,200 confirmed breaches involved the human element. Your people are not only vulnerable, they are the primary attack vector the bad actors out there are looking to exploit.

Lance Spitzner, Director of SANS Security Awareness and presenter in the recent Sayers #CURIO Virtual Tech Summit, says to think of humans as another operating system that stores, processes, and transfers information. “Organizations have done comparatively little to secure the Human OS, and now it is the most vulnerable operating system in any organization – and the bad folks know it,” he says. “Because we have become so good at securing technology, we are literally driving them to attack people.”

Manage Human Risk The Way Successful Organizations Do

Companies that successfully manage human risk are the ones that recognize the vulnerability of their people, and they focus on both awareness and behavioral change programs. Spitzner, who has helped over 350 organizations build security awareness and culture programs, says successful companies use the following approaches:

Identify top risks and behaviors. Having your employees complete a security training module each year means you’re good at managing compliance, not risk. Successful companies identify the top risks they need to manage as well as the behaviors they have to change before they start any awareness campaigns.

As the first step in designing your employee training, work with your security team and use risk assessments to identify and prioritize your top three to five human risks. Once you’ve done that, identify the top three to five behaviors that need to change to manage those risks.

For most organizations, phishing and passwords will most likely be somewhere in the top three human risks,” says Spitzner.

Focus on a few risks and fewer behaviors. Identifying your top human risks shouldn’t be difficult. Your security operations center, incident response team, or cyber threat intelligence team will have that information. The challenge is to resist the urge to tackle all the human risks facing your organization.

“One of the key problems I see is organizations overwhelming their workforce with 100 different behaviors on how to be secure, because they want perfect security,” says Spitzner. “No, we just want to manage your top risks. The fewer risks and behaviors we focus on, the more likely people will change those behaviors.”

Identify risks based on data, not emotion. Don’t let the latest security-related headlines or social media posts emotionally charge or dictate your priorities. Instead, make data-driven decisions about your human risks and behaviors by looking at data sources including:

• Previous incidents and breaches internal to your organization
• Past assessments or audits
• Industry risk reports such as Verizon DBIR, Microsoft Digital Defense Report, or CrowdStrike Global Threat Report)
• Human risk/behavior assessments

Don’t Know Where To Start? Try Phishing And Passwords

Maybe you have an immature or maxed-out security team, and you lack enough data or resources to work with. In those cases, phishing and passwords are great starting points for behavioral change to reduce human risk.

“Teaching people the most common indicators of a phishing attack, and instructing them on how to use passwords securely, including multi-factor authentication (MFA), goes a long way,” says Spitzner. “Those are my favorite behaviors to start with.”

Supporting that approach, the Cybersecurity and Infrastructure Security Agency (CISA) has added single-factor authentication to its top three list of bad practices.

Top Three Reasons Awareness Programs Fail

Despite their best efforts, many organizational change efforts fail to make an impact on human risk. The reasons for this come down to weaknesses in communications and metrics, namely:

1. They start with the what instead of the why. Security teams tend to be technically focused in their communications and jump to telling stakeholders what to do and how to do it. Instead, create both emotional and logical investment by starting with why. Why is making this change important, and especially, why is it important to them? How will they personally benefit?
2. They use the wrong metrics. Managing human risk means changing behavior. To know if you’re successful, you need the right metrics. If you’re trying to protect your organization from phishing attacks, then your awareness campaign could include a phishing assessment that measures how many people click on a link or open an attachment in a phishing simulation email, how many report the email, and how many repeatedly fall victim to phishing simulations. Those repeat offenders represent a high risk and require an escalation in training or consequences, such as moving them to a different job role or department.
3. The curse of knowledge. When it comes to awareness program communications, too much knowledge can be a curse. Don’t assume your audience understands the topic as well as you do. Cybersecurity professionals consider MFA a simple concept, but explaining it in understandable terms to the rest of the organization? Not so easy. “Far too often we have failed to make cybersecurity simple for them,” Spitzner says. “We’re overwhelming them. Our policies are confusing or we’re being overly technical. Take a step back.

How well is your security awareness program managing human risk? Are you going beyond compliance to focus on changing behaviors for the long term, and measuring your progress along the way?

Spitzner sums it up, “Until we also start addressing the human element, bad guys will continue to win.”

Questions? Contact us at Sayers today about your security, risk, and compliance questions for your organization.

Thanks to Lance Spitzner, Director of SANS Security Awareness, for his “Managing Human Risk” presentation from the Sayers #Curio Virtual Tech Summit. We’ve pulled the above highlights from his 27-minute presentation, now available free on-demand.

Lance Spitzner, Director of SANS Security AwarenessLance Spitzner has more than 20 years of security experience in cyber threat research, security architecture, and awareness training. He helped pioneer the fields of deception and cyber intelligence with his creation of honeynets and the founding of The Honeynet Project. He has published three security books, consulted in over 25 countries, and built the SANS Security Awareness business unit from the ground up over the past 10 years.