Human error and cybersecurity – tackling one of today’s biggest business risks

Cyberattacks are a matter of when, not if, and it seems you can’t go a day without hearing news of another organisation that has fallen victim to a breach.

However, while cybersecurity should without a doubt be high on the radar of every risk manager and business leader, in reality, cybersecurity is a pressing people-related risk involving each and every employee across the workforce.

Thales’ 2023 Data Threat Report found human error to be one of the leading causes of breaches and, of businesses that recently suffered a cloud data breach, over half (55%) of respondents identified human error as the primary cause.

With AI making its mark, more than a third (37%) of consumers are also concerned it has the capacity to make phishing attempts more convincing.

So, how can everyday employees be cybercriminals’ gateway into organisations? What are the associated business risks to consider, and how can risk managers and the wider business mitigate these people-related risks in the first place?

Employees represent the frontlines of cybersecurity

Malicious attacks often start with a phishing email targeted at unsuspecting employees, or centre around compromising an easy-to-guess password.

Passwords are highly problematic from a cybersecurity perspective as they put the onus entirely on the user, and are heavily reliant on limited human memory capacity.

With advice encouraging us to have long, complex passwords for personal and professional use, there is a risk that people will resort to using the same, easy-to-remember (and easily hackable) password.

With people often using the same passwords across all their online accounts and applications, if one is compromised, the rest could be too.

”Flexibility and hybrid working models are here to stay, but need to be managed properly in order to avoid company data being visible on insecure networks.”

Elsewhere, amidst widespread layoffs, reduced headcounts may also put a strain on those colleagues who remain, at a time when the uncertainty will already be piling on pressure.

It is possible that cybersecurity will be de-prioritised, leaving businesses more vulnerable to attack.

Beyond increased workloads, redundancies can also breed a disgruntled workforce and leave the surviving employees feeling unsupported. ‘Quiet-quitting’ can therefore overtake the business, with workers potentially less alert to potential risks.

Finally, workforces of today are more distributed than ever; all employees need to do their job is a strong internet connection within their home, or indeed anywhere.

Flexibility and hybrid working models are here to stay, but need to be managed properly in order to avoid company data being visible on insecure networks.

The business risks

A successful cyber breach can have far-reaching consequences. Financially, targeted organisations face the threat of lost business due to paused operational activity. This is in addition to requests for ransom payments and fines for data breaches.

Reputationally, there is also a risk that organisations will lose the support and backing of investors and other stakeholders, as well as their customers who decide to do business elsewhere.

Loyalty is not easy to win back after a breach.

Furthermore, those impacted may find themselves in the media spotlight, damaging the image of the brand even further. Needless to say, the fallout of a cyberattack can be considerable.

How risk managers can better manage and mitigate people-related risks

Various steps can be taken to help risk managers develop a greater understanding of the human influence on cybersecurity, and build greater resiliency against breach attempts.

How to tackle people-related cyber exposures

• Change the workforce’s mindset:   This is not so much about people being aware of cyber threats, but about building a greater understanding of the part they play in creating a cyber-secure culture. A common observation from Cyber Vulnerability Investigations is a tendency for employees to rely on their IT department to protect them from cyber-attacks. In a mature culture, everybody takes responsibility for their own cybersecurity.
• Be aware of the limitations of a “strict approach”: In terms of policies, the stricter the cybersecurity policy, the more likely employees are to find short-cuts and workarounds – whether that’s the use of personal devices and email accounts or using unauthorised memory storage devices. When setting up policies, processes and projects, organisations need to be realistic about human behaviour and vulnerabilities.
• Avoid blame:   Allowing a culture of blame to exist is not helpful or productive. This approach instils fear, but in the event of a successful breach, employees should feel comfortable in coming forward, rather than holding back out of fear of a personal attack.
• Educate your workforce:   Consider implementing a Cyber-Human Error Assessment Tool to enable employees to better spot phishing attacks (especially given the newfound impact of AI-enhanced phishing emails). These tools empower users to be able to share and store sensitive information safely and understand the day-to-day processes necessary to keep data and systems protected.
• Make it collaborative:   The human element should be front and centre in every policy and procedure. In an ideal world, employees need to be consulted in the design of these protocols to ensure they’re accessible and workable for different job roles within the organisation. The most secure way to perform a task should not be the hardest - but the easiest.
• Consider a shift from passwords to biometrics or other stronger methodologies like Passkeys:   With passwords widely considered an insufficient form of authorisation, biometric technologies may offer an alternative because they eliminate reliance on human memory. Fingerprint and facial recognition systems are common on smartphones but could be better utilised in workplace applications, too, as well as the adoption of Passkeys to replace the need for passwords.

Based on the above tools and attitude shifts, businesses will be better placed to identify key behaviours that need to change to improve security and focus training and workshops towards achieving that change.