Effective cyber risk management hinges on a multi-faceted approach, which includes conducting thorough risk assessments to identify potential vulnerabilities. Likewise, clearly defined, documented, and communicated processes and controls, including policies governing acceptable technology use, are essential for robust cyber risk management.
It is important to recognize that human error is inevitable. As such, the focus should be on minimizing the probability and frequency of insider threats, rather than striving to completely eliminate them. Comprehensive training on security basics and relevant data privacy laws and frameworks, can help to establish a robust defense against cyberattacks.
Additionally, robust monitoring and review mechanisms play a vital role in identifying and addressing weaknesses, ensuring an ongoing cycle of improvement and adaptation to the ever-evolving cyber landscape.
Change the Environment Before Casting Blame
Traditional security measures often fall short in today’s work environment, where employees frequently exchange emails that contain attachments and external links. Preventing them from doing this is unrealistic and ineffective, and will encourage them to circumvent policies and adopt unsafe alternatives.
To truly mitigate risks, security policies and controls must adapt to the needs of the modern workforce. This includes embracing web-based tools and technologies that inherently reduce vulnerabilities, while also understanding and accommodating the essential tools and workflows employees rely on. By focusing on a solution-oriented approach that accommodates the realities of work, organizations can achieve a more secure environment without compromising productivity.
The Need for a More Modern Approach
Outdated and ineffective security measures that are meant to safeguard easily compromised personal information like maiden names and birthdates, unfairly burden customer service staff. While these employees are not to blame for following inadequate procedures, scammers exploit human trust and social engineering to bypass even well-trained individuals, highlighting the need for robust, modern security systems that mitigate human vulnerability and prioritize secure processes over outdated practices.
Holding individuals accountable for failing to follow flawed procedures is unjust and hinders progress. Instead of focusing on punishment, organizations should prioritize investigating and rectifying the underlying causes of failures. It’s also equally unproductive to shift the blame onto those who were responsible for designing the inadequate systems. After all, we must remember that cybersecurity is a daunting, arduous and somewhat thankless task, which is evident by the serious shortage of cybersecurity professionals.
What Are the Alternatives?
Firstly, CISOs can foster a more productive and compliant environment by engaging employees in a dialogue about their tool choices.
By understanding the reasons behind unauthorized tool usage, organizations can explore potential alternatives that better address employee needs. This open communication allows for flexibility and improvement, potentially enhancing productivity and facilitating a greater focus on the things that matter.
Replacing approved tools with more suitable alternatives can lead to increased employee compliance and a more efficient workforce, ultimately benefiting both security and business goals. A truly effective approach necessitates a systemic perspective, analyzing and addressing the flaws within the procedures themselves to prevent future errors.
A Path to Sustainable Cybersecurity
The current approach to cybersecurity, heavily focused on technology solutions, is failing to address the root cause of most cyber incidents: human error. According to a joint study by Stanford and Tessian, 88% of breaches are linked to human mistakes, and only 3% of security budgets are allocated to employee training and support.
It’s time to rebalance this equation, and provide frequent and engaging security awareness training to all employees. Additionally, instead of blaming employees, companies should adopt a preventative strategy, investing in user-friendly security practices and fostering a culture of collaboration.
The proven People Process Technology Framework, with its circular approach, offers a path forward by prioritizing employee empowerment and continuous improvement. By shifting from blame to prevention, organizations can significantly reduce cyber incidents in addition to creating a healthier work environment.
Accountability is Not the Same as Blame
While monitoring employee activity is seen as an invasive approach to security, which may also lead to increased levels of blame, this is not actually the case. Firstly, having an immutable record of all employee activity can help organizations know exactly where security problems are coming from, and how to address them.
This can give employees peace of mind, knowing that they aren’t going to get penalised for actions which they were not directly involved in. It also means that employers don’t need to make blanket assumptions, which may lead to one-size-fits-all policies that may hinder productivity.
There are numerous solutions that can detect and respond to suspicious activity, and send real-time notifications to the relevant personnel, who can investigate the incident further before making rash decisions.
Having precise insights into exactly who is to “blame” for a given security incident, can help to reduce the need to point fingers at the wrong people.
The enhanced visibility these solution provide also ensures that employees are not granted excessive access to sensitive data, thus helping to mitigate incidents.