The popular perception of hackers is exactly backwards. We think of cyberattacks as complex and highly technical. But often they use basic scams and schemes that have existed for centuries. Rather than trying to bypass sophisticated defenses they simply aim to trick users.
This is why employee behavior matters in cybersecurity. The vast majority of attacks will be authorized by members of your own team. They are not trying to be malicious. They have simply been fooled into visiting a corrupted website or downloading a malware attachment.
The tactics that hackers use are very hard to spot and very easy to be convinced by. That is why an astounding 90 percent of all cyberattacks are caused by human error or behavior. Hackers attack this target aggressively because they know it’s so effective. As a result, half of all companies now carry a cybersecurity insurance policy.
Human error is impossible to stop, but the problem does not have to persist. Once companies recognize the issue there are ways to actively improve and correct employee behavior:
- Make Training Mandatory an Ongoing Exercise – Unsafe behaviors are a problem at every level and in every department. No one should be exempt, and training should be continuous to keep everyone sharp.
- Look Past Compliance – Effective cybersecurity is about more than complying with regulations like HIPPA or PCI. Make sure that all aspects, including compliance, are covered in training.
- Keep Things Simple – For cybersecurity training to stick it needs to be simple and memorable. Avoid using technical jargon or complex demonstrations. Focus on providing actionable tips and advice.
- Explain Reporting Procedures – A major focus of training should be how, when, where, and why to report threats. In general, training should stress speaking up about threats instead of keeping them secret.
- Make It Personal – Every employee has a stake in the company cybersecurity. A breach could put their jobs at risk or even expose their personal data to hackers. Emphasizing the personal connection makes each employee more committed to the effort.
- Monitor the Users – Tracking how employees use technology reveals how safe or unsafe their actions really are. Monitoring usage and filtering it though a basic analytics program reveals potential red flags. Then companies can correct the behavior before it causes an issue.
- Reconsider Access Controls – If employees don’t have access to data they largely can’t compromise it. Users should have the information they need for work but be locked out of everything else.
- Be Constructive Not Critical – If employees are punished for unsafe behaviors they will begin covering up mistakes. Rather than focusing on network security they focus on their own security.
- Offer a Reward – Effective cybersecurity must be a priority for all businesses. Once teams or individuals begin practicing safer behaviors, offer reward or recognition. Employees will stay committed to the effort if they feel like there is an incentive.
Employees are the biggest weakness when it comes to cybersecurity. But they are also the greatest strength. The companies that focus on the human element of cybersecurity tend to enjoy the best protection.
