Securing the Human
Why humans are the weakest element of your cybersecurity program
Cyber risk is top of mind for just about every organization these days. Most financial institutions are getting it right, starting with visibility and support from the top, and a healthy budget dedicated to best-in-class cybersecurity solutions, that allows for an arsenal of hi-tech security tools designed to protect a company’s computer systems from all sorts of cyber threats. However, many organizations overlook a key weakness in their cybersecurity weaponry—the human element. Human errors, whether a result of social engineering or an outright honest mistake, account for most vulnerabilities in an otherwise solid cybersecurity program.
More than 90 percent of recorded data breaches have been the result of social engineering. Phishing is the main attack vector used in most cybersecurity offensive playbooks. Bruce Schneier, the renowned cryptographer and security expert said, “Only amateurs target machines; professionals target people.” He is right. Humans are an organization’s greatest asset, but they are also the weakest link when it comes to security.
Creating a culture where employees not only know how to, but also feel empowered to report potential security incidents and suspicious activity is of paramount importance
Humans make mistakes. Even the brightest and most astute among us are prone to failure. On average, humans make seven errors per hour. When error precursors such as stress, distractions, high-pressure situations or heavy workloads exist, this average error rate increases significantly. Human error can result in people inadvertently disclosing data or misconfiguring systems. Mixing error precursors with error traps like social engineering is a recipe for compromised systems.
Prior to joining South State Bank, I spent 12 years in IT and cybersecurity within the commercial nuclear industry. The nuclear industry, as a whole, has spent much time studying human error and implementing techniques and tools to reduce the frequency and severity of events. They are not alone in their quest. Industries such as aviation, medical services, pharmaceuticals and even food manufacturing, demand “getting it right repeatedly,” which includes robust, reliable processes, while at the same time focusing on the human factors that could derail their success. Because of their focus and efforts to make humans more reliable, these industries have made tremendous strides in reducing human-error related events.
The Institute of Nuclear Power Operations (INPO), has contributed significantly to the body of work on human error, and has established five principles of human performance:
• Humans are fallible.
• Error is predictable, manageable and preventable.
• Organizational processes and values influence individual behavior.
• People achieve high levels of performance based largely on the encouragement and reinforcement received from leaders, peers and subordinates.
• Events can be avoided by understanding the reasons mistakes occur, and applying lessons learned from past events.
Banks and financial services institutions can benefit greatly by applying lessons learned from other industries where getting it right the first time and every time matters. Securing your network without securing the humans that operate it puts your organization at a significant risk of compromise.
“Securing the human” starts with employee awareness. The first step is helping employees understand that what they do matters—that one wrong click can ultimately compromise an entire network. In my experience, engaging employees often and via different communication channels is the key to helping your team members see that they play a critical role in defending the bank against potential attacks. Frequently sharing real-world examples of relevant threats and providing practical and simple ways to identify them creates a constant heightened awareness.
Creating a culture of employee vigilance and engagement is a critical element of a strong cybersecurity program. The next step is turning that vigilance and engagement into action. Creating a culture where employees not only know how to, but also feel empowered to report potential security incidents and suspicious activity is of paramount importance. Measuring the impact of employees’ actions on your ability to maintain a strong cybersecurity program and reporting those metrics helps employees understand how they contribute. For instance, enhancing visibility of the number of phishing attempts reported by employees is a great way to help employees see that their actions have a direct impact on your abilities to protect your bank.
Examining your organizational processes and procedures with a keen eye toward understanding how they could contribute to the risk of human error is the second prong of the “securing the human” risk-mitigation process. Thorough analysis of employee work practices and eliminating error-likely situations, such as conflicting or confusing procedures or processes, greatly reduces the risk of inadvertent data disclosure or other mistake-driven forms of risk.
I have been fortunate to experience success in applying human-error reduction techniques in both nuclear and banking organizations, and recognize a common thread—a strong set of messaging delivered via different channels on an ongoing basis. It is not good enough to simply deliver a message once and expect it to stick. Make employee awareness and vigilance the drum beat of your organization’s cyber-aware culture.
Working under the premise that error is predictable, manageable and preventable, bank CIOs and IT departments have the opportunity to design and implement controls that defend not only machines and systems, but also equip and fortify the humans that operate them.