More than 90% of cyber-attacks involve a human attack vector. However, despite an emphasis on cyber security training for years, employees still don't consider cyber security to be their responsibility. That doesn't mean companies should play the blame game; it's time to change the narrative so their employees who are their biggest asset don't feel criminalised.
Remote working
It’s clear the shift to remote work is not going away and this poses security challenges. People can opt to log in from outside of their employer’s network from home, coffee shops, and flexible workspaces virtually anywhere with a strong enough internet connection.
Unlike a centralised team, where you can physically lock down confidential information, remote working means sensitive corporate data like customer lists, financial information, and source code is now everywhere. Malicious actors are well aware of this, so it’s little surprise that 90% of cyber-attacks involve a human attack vector.
Engineering security for employees
Organisations need to remember that this is not the fault of employees, they are the victims
There's no doubt, criminals will continue to try to exploit an organisation’s workforce. However, organisations need to remember that this is not the fault of employees, they are the victims. They need to change the pervasive narrative from one in which a company’s greatest asset, its employees are made to feel criminalised and instead empowered.
Instead, organisations need to think about their responsibility to protect their staff. Employees might be in the crosshairs of hackers but its important employees feel the company has their back. No matter what role an employee plays within the business, organisations should engineer security in such a way that it's easy for them to use, understand, and implement so that they can protect themselves.
Enhancing employee security with technology
There are various ways employees unintentionally put their organisation at risk, including browsing risky websites, downloading malicious files, accessing confidential data through unsecured Wi-Fi networks, or inserting USB sticks containing malware.
It's important to note that businesses need to be able to differentiate between what is malicious and what is accidental. Mixing the two could have disastrous consequences in terms of employee morale.
Human-centric approach
Instead of pointing the finger, organisations need to develop a more human-centric approach to cyber security; one which protects their networks and data while empowering employees to continue working without fear of being exploited.
Such an approach would give them the helping hand they need to discover risks, prevent data loss, and enable regulatory compliance while educating employees on the importance of cyber hygiene.
AI and machine learning
AI can protect employees from making mistakes and advance cyber security by instructing them in real-time
Technology has a role to play here. For example, the advances in machine learning over the past five years mean that AI can be effectively deployed to augment and enhance employee behaviour, prompting them to make safer decisions as they work.
Used in this way, AI can protect employees from making mistakes and be used to advance cyber security by instructing employees in real time and adapting to the individual behaviour of each user.
Mindset shift
While this might be seen as a common-sense solution, it is not the path that many organisations are taking in security. By casting the employee in the role of a “rogue” in the network, organisations’ default approach to date has simply been to try and block and control the employee.
Companies need only refer back to the 90% figure earlier to see how ineffectual this approach has been, mostly because staff who just want to get on with their jobs will naturally find security makes things more difficult. That is why it is so important that the use of technology is coupled with a mindset shift, companies need to stop trying to stop their employees from getting on with their work.
Intelligence and context
AI has the additional benefit of generating data on employee behaviours, that can be fed back into the system to improve their experience and also identify threats when they do occur.
This next-generation technology can be used to make sense of unstructured data across different platforms, tools, and networks, and can piece together a complete picture of what normal behaviour looks like, and what indicates risk. For example, if an employee’s credentials have been compromised and they are being impersonated on the network, the system will know.
Privacy implications
The instant feedback loop is an effective, time-efficient, and affordable alternative form of security awareness training
People may have perfectly understandable concerns regarding the privacy implications of this approach, of course. Although an organisation will have visibility into its network and will enjoy actionable intelligence as a result, the privacy of its employees must be protected by securing and anonymising their data. Employees themselves will benefit from such an approach, too.
Each time an incident occurs, they can receive appropriate security training, and real-time on-screen messages reinforcing their employer’s IT Security and Acceptable Use policies. Rather than spending time and money on classroom-based instruction, this instant feedback loop is an effective, time-efficient, and affordable alternative form of security awareness training.
Bringing employees into the fold
The narrative the cyber security industry has created around employees, presenting them as at best, a liability and at worst, a deliberate saboteur, has led to bad outcomes for both staff and the organisation.
It is beyond time that companies redirect the considerable resources they invest in blocking their employees towards tools that would help them. Risky behaviour will be more effectively mitigated with increased intelligence, productivity will increase, and employees will look more favourably at their employer.