The cyber landscape is constantly evolving as its economy grows, with ransomware attacks causing trillions of dollars in damages to enterprises each year. However, there is hope in the fight against cyber threats. Research shows that up to 95% of cyber incidents are a result of human error. While system misconfigurations and employee phishing campaigns are commonly known culprits, the manipulation of human emotions is an underreported component of cyberattacks.
Threat actors use human emotions such as greed, curiosity, urgency, and the inherent need to help as means to hack into an employee’s behavior. This means that anyone can become a victim in these situations. Therefore, it is crucial for organizations to establish a sound cybersecurity culture within their workforce by placing people and realism at the center of their cyber strategy.
It is important for organizations to focus on human nature when developing and implementing their cybersecurity strategy. Attackers often exploit perception blindness and human biases to their advantage. One of the strongest biases is confirmation bias, where a person only considers one piece of information and draws incorrect conclusions. Job bias is another key bias that hinders crisis response, as key stakeholders may be unsure of their role and responsibilities.
To mitigate these biases, organizations should create opportunities to emulate real-world use cases and understand how biases can impact remediation efforts. Conducting tabletops and wargame exercises can be effective in revealing these biases when teams are under pressure. By integrating best practices into training and playbooks, organizations can flip the script on human nature and use it to their advantage.
Enterprises that engage in these tabletop exercises feel prepared to face and mitigate potential cyberattacks. However, it is important to recognize that these exercises are conducted in a controlled environment. During a real cyberattack, planned actions can be easily lost in the chaos and stress. Therefore, a unified approach to incident response is critical. This includes unifying technical, business, and risk-oriented frameworks to create a seamless detection and remediation strategy. Clear roles and a common cybersecurity and risk language should be established within the organization.
Cybersecurity should be woven into the fabric of an organization to reduce human-error-initiated cyberattacks. Making cybersecurity an everyday topic and fostering a culture of shared responsibility can make a significant difference. For example, after the Equifax data breach in 2017, the company reinvented its security culture by emphasizing the responsibility of every individual to protect the organization.
Highly mature organizations also understand the importance of cyber-crisis preparedness and extend security training to the home environment. By making individuals feel safe even when they are off duty, their sense of cybersecurity responsibility extends beyond the workplace and becomes part of life itself.
As the industry prepares for the next wave of cyberattacks, it is important for enterprises to reassess their cybersecurity posture. Successful cybersecurity policies consider the end user and make it easy for employees to do the right thing. While technical resources and training are crucial, the cybersecurity battlefield is increasingly human. Therefore, leaders must acknowledge this and empower their people as the organization’s best defense.