For less than the price of a coffee, Individuals and Organisations can read this handbook with detailed guidance on how to improve Cyber Security and Human Factors. It is available as both a Paperback (US UK DE FR ES IT JP CA AU) and as a Kindle eBook (US UK DE FR ES IT NL JP BR CA MX AU IN).
The ‘human factor’ in Cyber Security is often seen as a weak link in the security chain. But it is fair to say that human intuition all too often has also played a key role in preventing cyber threats materialising. All systems require us humans to receive alerts and subject these to our interpretation. Human intellect is capable of processing numerous inputs and we instinctively know when an issue has arisen.
We hope technology can improve our security posture when a superior tactic may be to dig deeper into human nature. Our norms, habits and quirks determine our security awareness. We can change these and build a security mindset that focuses on our strength which is complex reasoning.
Our habits mean humans have tendency to find shortcuts. Security professionals must think like a hectic employee, a rushed director, or a preoccupied secretary. We must remove complexity from all of our practices.
Human Brains Process Information in Less Time Than Many Cybersecurity Measures Take To Be Implemented.
Cyber hygiene can be improved with email scanning or link scanning. But it also adds inefficiency. Smartphones, productivity apps and fast connection speeds have set an expectation of instant access. We also must consider the insider threat. Humans and their lives are complex and they bring this to the workplace. They have stressors whether these are financial difficulties, poor mental health, drugs, alcohol, gambling, idealism, politics and power.
We can help by using technology for privileging and segregating. System access should be only be granted on a principle of least privilege. This can prevent uncertainty or temptation. Segregation of duties is important. Individuals should only be able to access what is necessary and proportionate for their job role.
Leadership and Human Intuition Can Be Vital in Improving Security.
Conducting a security review of employees once per month with colleagues from HR, IT, Operations, etc can help identify staff who have too much access or staff who are struggling and need support. Otherwise gathering intelligence on changes from these areas can also help. Human reasoning can look at the situation from an enterprise perspective and spot warning signs earlier.
Malicious Actors Take Advantage of Human Nature
They target people who are vulnerable, powerful or complacent. Increasingly, we see sophisticated techniques like using social media to develop something that will interest their target or get them to drop their defences. The bad actors are evolving, and so your security training program has to evolve. Continually update about new threats. Reminding people that they could be targeted. Drive home the point to trust nothing.
Testing Is an Important Part of Education
Send fake emails, conduct hacking exercises, play war games that simulate an attack or ransom situation. Staff are fooled by these even when they know they could be tested. These represent opportunities to embed learning points and encourage staff to take their time, trust their instincts and validate.
Cyber Threats Arise Increasingly From Basic Opportunities
We can improve by understanding basic human nature. Malicious actors will take huge risks if there could be a big payday. So it is important to minimise any opportunity, means and motivation.
Information security awareness should help establish correct security procedures and security principles in the minds of all employees. It is vital because any security technique can be misused or misconstrued, thereby not benefiting from its real value. Increased awareness minimizes user-related security threats and maximizes the efficiency of security techniques. But we must go beyond security awareness and better understand our people and their mindsets to be truly transformational.