November 24, 2014 By Brian Honan 3 min read

Lately, the media has been full of major news stories relating to security breaches at well-known companies. Breaches such as those at Target, Staples and Home Depot have moved security stories from the domain of the information security press into mainstream media stories. The news stories talk of sophisticated attackers using advanced techniques to breach the security of these organizations.

However, are these attacks due to the technical prowess of the attackers or ineffective security awareness programs in those companies? If we look at these breaches more closely, we can identify one common element. That is the human factor. In nearly every security breach actions, either intentional or accidental, by someone in the victim companies led to the security breach.

Study after study also highlights how the human element is a key factor in successful security breaches. The IBM Security Services 2014 Cyber Security Intelligence Index highlights that “95% of all incidents involved some form of “human error”. These errors ranged from clicking on links and attachments in emails, using weak passwords, or using default system settings. Given that many of the breached organizations spent lots of money on security awareness programs, why are we still seeing the human element being such a major contributing factor?

While IT security staff may find information about computer viruses, the latest exploits, and current hacking technique, in reality most people would rather be thinking about something else. They have their own busy work days, deadlines to meet, and a myriad of other demands on their time. In many other cases, the security awareness program has been developed to meet a compliance requirement resulting in the focus being on number of staff attending the awareness session rather than on ensuring the content is relevant to the business and the job roles of the attendees. Finally, most security awareness programs fail because no deliverable s and metrics on their effectiveness have been identified. Simply put, in many cases security awareness programs do not engage staff.

If we look at how road safety campaigns have developed over the years we can see how they’ve progressed from simply making people aware of the rules of the road to modern adverts providing impactful content on why it is important to drive safely. Similar to the old road safety campaigns, simply making staff aware of security issues is not enough to ensure they behave in a secure manner. People have busy work and personal lives and many will look to complete their tasks quickly without thinking about the security implications. As such, we need to move away from a security awareness approach to enabling staff to be more secure, by developing a security engagement program whereby people will become equipped to deal with the security threats they face.

An effective security engagement program should be aligned with the overall business needs and the goals of the organization. The security engagement program should be different for a computer company than it would be for a financial institution or an organization in healthcare. The program should also take into account the cultural aspects of staff located in different offices with a particular focus on localizing the content for staff located in regional offices. A U.S. centric security awareness program will not engage an Asian or European audience. Similarly, the content of the program needs to be targeted at the intended audience. Content and key messages delivered to the sales team should be relevant to their role, as should content for the senior management team, and all other areas in the business. Another way to engage the audience is to use psychological hooks to get the attendees attention, such as highlighting safe online computing use for their own personal use. Good habits developed for personal use will equally apply in the corporate environment.

While criminals will look to exploit security vulnerabilities in applications and systems, they will also look to target weaknesses in the people that use those systems and applications. Aligning security education with the needs of the individual will provide a dynamic security engagement program that will be a key element in ensuring a robust security infrastructure.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today