Changing human behavior is key to limiting cybersecurity risk

Cybersecurity threats are constantly evolving, and so too are the tech solutions that are meant to identify and prevent them. While there continues to be a need and opportunity for companies and governments to implement basic cybersecurity tools like multi-factor authentication, AI and machine learning look set to become vital strategic tools for organizations looking to bolster their cybersecurity posture.

But because so much of the conversation around cybersecurity is focused on the technology side, a common weak point among organizations in both the public and private sector is consistently overlooked. Human error. In fact, a report from the Ponemon Institute last year looking at cybersecurity in the public sector showed that of 56% of organizations had experienced an incident as a result of an employee falling for a phishing scam in the 24 months before the survey.

While none of the countries represented in the survey are from the Middle East or Africa, I believe that the same trend is present in the region.

Another attack designed specifically to target human behavior is the USB drop attack. This is when bad actors install malware or other malicious software onto a USB drive, and drop it in a parking lot. Employees find the drives, and connect them to their computers creating an entry point for the malware. While you might think this form of attack is unlikely to happen at your company, a 2016 study showed that drop attacks had a success rate of between 45 and 98%.  

Cybersecurity must become part of your organization’s culture

Public sector organizations handle sensitive state and citizen data, making them a lucrative target for cybercriminals. The repercussions of an attack on the public sector can not only put citizens at risk but can jeopardize the national security of the country as well as the legitimacy of a government as we’ve seen with the attacks seeking to influence elections.

A recent Forbes article talks about the two ‘doors’ that cybercriminals use to enter and exploit an organization. The article argues, and I agree, that the key to aligning employee behavior with your cybersecurity processes is consistent training and education.

In just the same way that organizations invest time and money on deploying new technologies to combat cybercrime, it remains vital that employees are trained and prepared so that the likelihood of human error is minimized. The two efforts must also be integrated as it’s often the technology that will help change human behavior and raise awareness of the biggest areas of risk. For example, implementing multi-factor authentication (MFA), which Microsoft customers can enable for free, in place of traditional passwords changes human behavior for logging into web sites and will lead to drastic improvements in your organization’s cybersecurity efforts.

Taking responsibility for cybersecurity

As the internet and digital technology become more prevalent in everyday life, the distinction between the real world and the virtual world becomes less distinct. The risks and damages associated with cybercrime therefore are not limited to the digital world but can have a devastating impact on real world businesses, governments, and individuals.

I believe that business leaders, policy makers, government officials and employees must all understand the cyberthreats they face. There continues to be a need for trainings on digital safety in each of our organizations that complement the technology solutions as we navigate an increasingly digital world with internet connect devices, a plethora of apps from vendors that we’ve never heard of, and cameras and microphones on more and more devices. In addition, information silos that prevent critical information from being shared must be broken down so that threats can be identified and dealt with clearly and easily.

The World Economic Forum has published 10 key messages that came out of its Annual Meeting on Cybersecurity late last year. These include asking leaders to take ownership for ensuring global cybersecurity and trust; improving cyber crisis management and developing holistic response and recovery plans; and creating a culture of cybersecurity across all levels of the organization.

While these key messages alone will not protect an organization from cyberattacks, leaders who understand the threat landscape they face and have a plan for how to identify and combat it through training and technology, will find their organizations in a stronger, more secure position.