Employees often are seen as the weakest link in cybersecurity. Breaches by hackers may hit the headlines, but human error (or intent) is responsible for the majority of attacks.
IBM’s 2016 Cyber Security Index reported that insiders carried out 60% of all attacks. Three-quarters of these attacks were malicious, and a staggering 25% of breaches were accidental.
See also: How to Determine Your Cyber Coverage
I took the opportunity to sit down with Richard Ford, chief scientist at Forcepoint Security at Black Hat 2017 in Las Vegas. The notion of understanding human behavior and its role in cybersecurity was the topic of our discussion, and you can find the key takeaways below.
Look at the why, not the what.
We’re great at focusing on what is happening within our network and capturing every single event. What we’re bad at doing is talking about the why. This often is much more significant. It’s time companies think about what the hacker is trying to accomplish. Why did that file get moved? Why did that data loss prevention (DLP) event occur? Mitigation depends on the why. You’d mitigate an accidental data breach very differently than an intentional one. When companies move toward the why, they can start to mitigate much more effectively.
Reduce the friction caused by IT security.
A lot of security measures aren’t successful because they create friction between users. Currently, we see security’s role as protecting the business. In the future, we will see it as a way to enable business to be done safely. For example, to stop restricted files from leaving company servers, most firms would turn off universal serial bus (USB) access. But that creates friction. Instead, the file should be seamlessly and silently encrypted so that it will only decrypt if it is loaded onto another company device. It’s the same level of protection but with far less friction. The more seamless security is, the more people will buy into it.
See also: Cyber Measures Starting to Pay Off
Make privacy a first-class citizen.
Too often, companies send a bad message by giving the impression that they don’t trust their employees. Security and privacy should be a benefit to the employee, not a negative. One way companies can achieve this is by being open with employees. When employees understand what’s happening, they understand why it’s protecting the company. Another is by anonymizing the data in a way that protects an employee’s personal information but still continues to protect the company. When done right, employees’ privacy should be protected and so should the company’s data. You shouldn’t do one at the expense of the other.