The theme of this year’s Cyber Security Awareness Month was “See Yourself in Cyber.” According to The Cybersecurity and Infrastructure Security Agency (CISA), the theme demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people. The purpose is to ensure all organizations make smart decisions when it comes to cyber security.
The people theme is appropriate. The problem described by security practitioners and analysts has not been hackers or bad actors, but rather, the people you work with every day. It’s partly true—most security compromises do in fact start on the inside. There’s data to back up this claim, too.
This year’s Verizon Data Breach Report shines a spotlight on the delinquent user, reminding us that the human element—social attacks, errors, and misuse—are to blame for 82% of all breaches. While the facts cited in this and other reports are accurate, is it really helpful to point a finger at the end-users? It seems this blame is misplaced—a scapegoat to avoid the root of the problem.
The Real Problem
Perhaps if the tools and processes organizations had developed were air-tight, the ‘people problem’ would be a more valid argument. But if the infrastructure in place actually supported the people doing the work, would we be in this position? Instead of fixating on the ones who drive our businesses forward, it’s time to get to the root of our collective cybersecurity shortcomings.
Consider this: large organizations are staffed with upwards of thousands of people to support one mission. To work towards these goals, employees are tasked with being more efficient and performing better each year. Now, they’re being asked to do this in the face of a looming recession. This means getting more done with shrinking resources and budgets. The same is expected of IT.
Where the disconnect lies is that while IT security is core to the organization's goals, in the vast majority of cases, it’s not part of the company’s mission. As a result of operating in their own silo, we often see security teams implement tools or processes that knowledge workers either don’t understand or that make it harder to do their job. This causes frustration, insecure workarounds, and ultimately a more vulnerable target for attacks.
While people are part of the problem, it’s not the strapped IT teams or the workers at the mercy of your company’s technology tools—it’s the people at the top. Organizational leaders have a responsibility to prioritize the health of the business—from a security and operational standpoint. This starts with effective communication.
Fortunately, getting people across an organization aligned on cybersecurity is not so different. On one hand, clear direction around security processes and practices should come from the top-down. Alternatively, leaders should seek feedback from managers in functional areas about the tools and processes that are working and which aren’t.
Here are two practices that enterprises can put in motion today to help alleviate the people problem with cybersecurity:
- Implement regular security training
Many companies have emerged over the last several years that offer employee-focused security training. Looking into programs and solutions like these paired with more regular interactions between workers and security teams is a great start. The key is to inform employees, get questions answered, and get the conversation flowing. Transparency is key.
- Approach new tools and processes with a critical eye
With the rise of large business platforms, like ServiceNow, Salesforce, and Atlassian, many security problems that formerly had to be solved with new software can now be solved within the platform. By leveraging a platform your employees are already familiar with, you can eliminate learning curves, as well as the extra IT burden associated with new tech implementations. Other major tech changes should not be taken lightly, ensuring the benefit outweighs the risk.
By establishing strong cybersecurity practices and having leaders clearly communicate them to the organization, most challenges with the people problem can be remedied.
Rather than leading with blame, give the people running your business the tools and processes they need to succeed. This is an ongoing project, but when done right will help not only security, but workflow and operations in the process.
This article first appeared in Forbes.