Human error is a leading cause of security breaches within companies. Training can help.
Cyber attacks come in many forms. Some seek to exploit vulnerabilities in a program’s code, while others attack a network’s infrastructure. But by far the most common strategy is to target weaknesses in human behavior—moments when we are tired, forgetful, stressed, in a hurry, anxious, or taking a tempting shortcut.
Because these moments are so common, they can be hard to guard against, and that’s assuming employees are trained enough to know what to expect in the first place. If an employee doesn’t even know what a cyber threat looks like, they are unlikely to notice when their behavior is exposing a vulnerability. And if there isn’t sufficient buy-in from the top, many employees may also conclude that a threat isn’t sufficiently concerning to warrant extra precautions.
A comprehensive security plan to help mitigate human error vulnerabilities should educate employees in the types of security threats they may face, provide software programs or other systemic procedures to act as failsafes if an error does occur, and support technological adoption through employee training and other social support.
Cybersecurity threats designed to exploit human weaknesses include:
- Phishing scams. The past year has seen an explosion of phishing attempts brought on by the massive upheavals of the pandemic. Phishers have masqueraded as fellow employees or pandemic relief programs, or mimicked communications from widely-used software programs. Distinguishing a phishing attempt from a legitimate email is becoming more difficult, but email monitoring software can help spot suspicious emails.
- Poor password security. Too many users continue to reuse the same password across multiple accounts, use old passwords that are more likely to be compromised, or choose weak passwords that are easy to compromise. Password keychains can help users choose stronger passwords while improving user experience.
- Situational vulnerabilities. Employees working from home, in a coffee shop, or at an unsecured desk may have vulnerabilities in their environment that they should be aware of, if they are accessing sensitive information. Conditional access can monitor what network an employee is using and either require extra sign in factors, or limit access to certain files.
- Out of date operating systems. Modern software is constantly being updated to mitigate security vulnerabilities as they are discovered. In the past, employees have exposed themselves to vulnerabilities by putting off essential updates. Automated update tools can track which updates are the most critical, and schedule lower priority updates during down time.
- Out of date hardware. If your hardware no longer supports the newest software programs, then it may be running systems with known vulnerabilities. Some hardware devices have other known vulnerabilities that make them easier to exploit. Employees can sometimes grow resistant to replacing familiar devices that fit into their workflow, but following a replacement schedule can mitigate this threat.
A combination of assistive security software and employee training is the best defense against cyberattacks that target human vulnerabilities.
As you’ll notice from the above examples, while cyber attacks have grown more sophisticated in recent years, so, too, have the means of defending against them. New software solutions exist to act as cybersecurity guard rails for employees, so that even if an employee makes an error, the software can step in and either flag the mistake for future correction, or force the employee to make a different choice.
However, even with assistive software programs, human errors can remain on two levels. First, if employees over-rely on technology to compensate for their own mistakes, they may introduce security errors by continuing to follow unsafe practices. (For example, they may continue using old or insecure passwords trusting multi-factor authentication to prevent a breach.)
Second, employees still have to use these technologies for them to be effective. For instance, multifactor authentication can help prevent unauthorized account access, but employees still have to opt in for it to work.
Employee training programs can help employees recognize the importance of following cybersecurity protocols, but like technological adaption, employees still have to take the training for it to be effective. Companies can make progress by encouraging security training among employees—or even making it mandatory—but the training platform itself can also play a big role.
Elements of an excellent training platform include:
- Easy to update. Security threats are always changing, so a training platform should be flexible enough to allow organizations to add modules or other additional materials at any time. Organizations should expect to review and update their training regularly.
- Relevant. Examples of cybersecurity scenarios should match what employees experience in their day-to-day work environments, so that they can easily recognize when a procedure is relevant. For instance, if an organization has a clean desk policy, a training video that shows an employee following procedure before walking away from their desk to use the bathroom or attend an office birthday party can give that policy context.
- Trackable. Managers should be able to check in on their team’s training progress so they can keep tabs on which employees have completed the necessary modules. This is especially important if an employee needs to repeat training every year. A platform with training metrics can notify employees when it’s time to retake training, or send them a notification as a nudge to finish a module.
- Engaging. Training is often seen as a chore, but a well-designed program should feel both exciting and satisfying. Employees are more likely to view a training program as useless or unimportant if the material is dull. Including interactive or competitive elements can help employees pay attention and make the content more memerable.
Software solutions and employee training only work if employees adopt them.
If you’d like to learn more about how to successfully help employees adapt new software, our cloud adoption and cybersecurity training partner, BrainStorm, is hosting a webinar on August 19th at 1pm. This thirty-minute session will include a conversation with James Krick and Alyssa Bansky of the Campbell Soup Company as they discuss how they lead software adoption at their company. Register today to attend the event.
Finally, creating an organizational culture that takes cybersecurity seriously is essential to ensure everyone adapts security procedures. If coworkers are openly disregarding a security policy they believe is too overbearing, it can establish a norm of non-compliance.
To support cybersecurity training, leaders within an organization must visibly follow all security procedures themselves; employees who follow procedures should be vocally encouraged to continue doing so; and leaders should ensure that everyone in the company has the tools and resources they need to comply with security directives.
If you would like to work more closely with cybersecurity experts contact us today.