Typically, cybersecurity is thought of as all about technology, with human error and falling victim to social engineering being some of the risks.
But are people really just the problem, or can they also be part of the solution? Toney Jennings, CEO of DataStone, believes we need to shift our thinking from the current paradigm to leveraging people as the hidden asset that protects our organizations. We spoke to him to find out more.
BN: Why is it that humans are often seen as the weakest link in cybersecurity?
TJ: Humans are often considered the weakest link in cybersecurity because, despite all technological advancements, our natural human tendencies and behaviors can lead to vulnerabilities. People can be tricked by social engineering such as phishing attacks, where attackers pose as trusted organizations to steal sensitive information. For example, an employee may receive an email that appears to be from the CEO and asks for sensitive data or clicks on a malicious link.
Another common problem is weak passwords. Many people reuse passwords across multiple sites or use passwords that are easy to guess, making it easier for attackers to gain access. In a traditional office environment, it’s common for employees to inadvertently download malware when they click on infected attachments or links, believing them to be legitimate.
Additionally, the rise of remote work presents new challenges as employees may access company resources using insecure networks and devices, increasing the risk of data leaks and unauthorized access. Despite these challenges, it is important to recognize that with the right training and awareness, humans can significantly strengthen cybersecurity defenses. By understanding common pitfalls and how to avoid them, employees can serve as the first line of defense against cyber threats.
BN: Is there a stigma attached to poor security choices that makes people hesitant to admit they were wrong?
TJ: Absolutely. Making mistakes in cybersecurity often carries a huge stigma, which can lead to a culture of fear and blame. This environment can discourage individuals from reporting mistakes and prevent organizations from addressing and learning from them. It’s critical to foster a culture where employees feel comfortable reporting issues without fear of retaliation. This approach not only helps correct mistakes quickly, but also contributes to the continuous improvement of an organization’s security posture.
BN: How can organizations change their culture to make humans part of the security solution?
TJ: Organizations can change the culture to make humans an integral part of the security solution by fostering a security-aware environment where all employees feel responsible for protecting the organization’s data.
First, change must start at the top. Leadership must demonstrate a strong commitment to cybersecurity by emphasizing its importance in every communication and decision-making. When management makes security a priority, it sends a clear message to every employee about its importance.
To encourage reporting of security incidents, leaders must foster a blameless culture. Employees need to feel comfortable reporting errors without fear of punishment. This transparency allows organizations to address vulnerabilities quickly and learn from mistakes. For example, implementing an anonymous reporting system can make employees feel more comfortable sharing information about potential security issues. Additionally, recognizing and rewarding good security practices with incentives, public recognition, and rewards can motivate employees to remain vigilant.
It’s important for organizations to establish clear and open lines of communication where employees can ask questions, share concerns, and provide feedback on security measures. Regular updates, such as newsletters, from the security team keep employees informed about new threats and remind them of their role in maintaining security.
It’s also important to foster collaboration between your security team and other departments. When employees see that security is a shared responsibility, not just the IT department’s, they’re more likely to contribute positively. For example, involving different departments in security planning and decision-making processes helps ensure that security measures are practical and effective across the organization.
Security should also be integrated into employees’ daily work. Organizations need to ensure that employees have the tools and knowledge they need to protect the organization. This includes providing access to the latest security software, clear guidelines on security policies, regular updates on emerging threats, and building security checks into regular workflows such as requiring authentication to access sensitive information and performing regular audits of security practices. Making security part of everyday work normalizes it and reinforces its importance.
By implementing these strategies, organizations can shift their culture to view people as a critical part of the security solution. This proactive approach not only strengthens overall security, but also fosters a sense of shared responsibility and vigilance among all employees.
BN: How important is education and training in achieving this?
TJ: Education and training are fundamental. Continuing education programs keep employees up to date on the latest threats and countermeasures. These programs should be engaging and hands-on, provide real-world scenarios employees may encounter, and cover the latest security threats, best practices, and how to recognize and respond to potential security incidents. Regular interactive training helps reinforce good habits and makes security a natural part of daily work rather than an afterthought.
BN: Is it necessary to incorporate humans into the process from the very beginning when developing a new system?
TJ: Yes, incorporating human considerations from the beginning of system development is essential. When developing new systems, it’s important to design them with the end user in mind and ensure that security measures are robust and user-friendly. This approach, known as “security by design,” can significantly reduce the risk of human error.
For example, when creating authentication mechanisms, it’s important to balance security and usability. Multi-factor authentication (MFA) provides an extra layer of security, but it must be implemented in a way that doesn’t frustrate users. If it’s too cumbersome, employees may try to get around it, defeating the purpose. User interfaces should also be intuitive and guide users toward secure behaviors. For example, clear and concise error messages help users understand what went wrong and how to fix it, rather than leaving them confused and potentially making insecure choices.
Regularly involving employees during the development and testing phases can provide valuable insight into how employees interact with the system. This feedback can reveal areas of potential confusion or difficulty, allowing developers to make adjustments before the system is fully deployed. For example, beta testing with a small group of employees can reveal whether a particular security feature is too complex or if there are commonalities that make users prone to making mistakes.
A training program should also be developed in parallel with any new system to ensure employees understand how to use the system securely. For example, when rolling out a new data management platform, comprehensive training sessions ensure users not only understand how to use the platform, but also how their actions within the platform impact security. In addition, ongoing support and resources should be in place to assist employees with security-related questions or issues. This could include a dedicated help desk, detailed user manuals, regular security newsletters, etc.
By involving humans in the process from the beginning, organizations can create systems that not only protect data but also are intuitive for users. This proactive approach reduces the chance of mistakes and fosters a culture of security. Ultimately, it leads to safer, more efficient operations where both technology and the human factor work seamlessly together to defend against cyber threats.
Image credit: ra2studio/depositphotos.com
