Light Dark
August 15, 2024 By Jennifer Gregory 3 min read
Risk Management

With cybersecurity, the focus often is on technology — specifically, how cyber criminals use it to conduct attacks and the tools that organizations can use to keep their systems and data safe. However, this overlooks the most important element in cybersecurity risk: human error.

Human risk in cybersecurity

Proofpoint’s 2024 Voice of the CISO report found that three in four (74%) chief information security officers (CISOs) said human error was their top cybersecurity risk. This reveals significant growth from last year’s 60% of CISOs expressing this sentiment. The study also found a key gap between CISOs and the boardroom. Board members were less likely (63%) to point to human error than CISOs, which shows that CISOs should focus on educating leadership as well as employees.

Several of the top causes for data loss events in the survey were related directly to employees. The top response (42%) was negligent insider/employee carelessness, such as an employee misusing data. Other reasons included a malicious or criminal insider (36%), stolen employee credentials (33%) and lost or stolen devices (28%).

The IBM 2024 threat index supports this finding, indicating that 30% of attacks start with phishing. However, phishing attacks are down from 2022, both in volume and as the initial attack vector. The report points to the continued adoption and reevaluation of phishing mitigation techniques and strategies as one of the reasons for the reduction.

While a human may actually have made the mistake that caused the breach, it’s not necessarily the individual’s fault — except in the case of a criminal insider. Organizations must take a proactive approach to cybersecurity, which includes providing training so employees can learn safe practices while also setting up processes that reduce risk.

Read the Threat Intelligence Index

Reducing employee errors in cybersecurity

Reducing human cybersecurity risk is not simple. You can’t launch a single program or training that fixes the issue. Instead, organizations must take a holistic approach that creates a culture of cybersecurity and empowers every employee to think of cybersecurity as their job.

Here are three ways to address human risk in cybersecurity:

1. Use AI tools to overcome human error

Because AI tools can predict what a human is likely to do, they can be especially effective in protecting against human risk in cybersecurity. The Proofpoint report found that 87% of global CISOs are looking to deploy AI-powered capabilities to help protect against human error and advanced human-centered cyber threats.

2. Provide comprehensive and ongoing employee training

Although many companies provide training, it’s often check-the-box type training that doesn’t really change behavior or keep cybersecurity top of mind. When designing a training program, take a holistic approach and consider which employees need which type of training.

Start by reviewing past incidents to determine what topics are most important, such as employees repeatedly clicking on phishing attempts in the recent past. Instead of annual training, companies should consider regular monthly mini modules to keep the topics top of mind. Additionally, include cybersecurity training as part of new employee onboarding to ensure every single employee starts their career with your company with the same information.

3. Create a culture of cybersecurity

It’s easy for employees to feel like cybersecurity is someone else’s job. But reducing human risk starts with changing that impression and making each employee feel responsible for cybersecurity. While training is a key component of this shift, it also involves keeping cybersecurity top of mind throughout the entire company. A cybersecurity culture starts from the top, with each leader talking about cybersecurity and stressing its importance.

Prioritizing human risk in cybersecurity

Cybersecurity starts and ends with humans: humans who create the attacks and humans with the ability to stop the attacks. By focusing on the human element in cybersecurity, your organization can significantly reduce your risk. However, change doesn’t happen with a single training session or even over a few months. Organizations must view this strategy as a long-term approach with the goal of making each employee realize that they hold the power to make a difference in the organization’s cybersecurity.

 |  |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from Risk Management
November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature