The cybersecurity industry should be placing more consideration on human behaviors to effectively tackle cyber-risks, according to a panel of experts speaking during the DTX: NOW virtual conference.
Lisa Forte, partner at Red Goat Cyber Security, who moderated the session, emphasized that human behaviors simply cannot be ignored when it comes to cybersecurity, noting that people “interact with our technology on a daily basis – whether that’s our staff who are responsible for looking after the data, or whether that’s clients creating unique usernames and passwords on our applications in order to access their own data, the human element comes into all of it.”
The panel first discussed approaches that security teams should use to help prevent people from falling foul of social engineering scams and cyber-attacks. Javvad Malik, security awareness advocate at KnowBe4, believes the starting point is to make people more aware of the threats that are out there. “Giving things a label and a name helps normalize it so people don’t feel like they’re the only ones getting caught out by a particular scam,” he said.
Additionally, this normalization needs to extend to when people are caught out by scams, thereby creating an environment in which there is no shame in admitting to being duped and that encourages frequent reporting of scams to law enforcement, according to Malik.
To help citizens truly understand cyber-risks, Holly Grace Williams, founder at Akimbo Core, said we need to focus on ensuring it is easy for people to do so. This includes the way awareness training is treated in organizations. “Very often I see security awareness programs delivered by companies where either the company doesn’t care about the content of the training and it’s simply a tickbox, or that the content is just on the face of it ineffective,” she noted.
John Graham-Cumming, chief technology officer at Cloudflare, added that digital companies should also be putting more effort into effectively forcing customers to adopt better security behaviors, such as strong passwords and two-factor authentication. He gave the example of systems that are emerging that tell users they are “using a password that has previously been hacked so don’t use that password,” he commented, adding that those outside the security industry “just need help to get into the right spot.”
The panel went on to highlight new ways security teams can bring about positive security behavioral change in people. Malik highlighted the importance of effective marketing to normalize certain behaviors. For example, he believes cybersecurity could learn from the “designated driver” terminology used to stop drunk driving, which was pushed heavily by behavioral scientists onto Hollywood. As this term got written into sitcoms, the concept quickly became normalized, and led to behavior change. “If we approach security from that perspective, we can get better behaviors,” he stated.
Removing the fear of punishment from employees caught out by social engineering attacks such as phishing is another crucial step organizations need to take. Williams noted that, sadly, it is still often the case that single employee mistakes are blamed by organizations for security breaches, which occurred in the wake of the Equinox and SolarWinds attacks. “If your entire organization can fail because one staff member chose a bad password, or clicked a link in an email, there are fundamentally bigger problems to your organization,” she pointed out.
As well as not laying blame for errors, developing the right security culture among all employees in an organization is crucial to preventing tactics such as phishing from being successful. This requires a good relationship being “built in” between security teams and other members of staff, according to Malik. “If the only interaction you have with your security team is when an incident occurs, or when they send a simulated phish out to you and say ‘we caught you out,’ regardless of how good it is, you’re just going to think ‘who are these people and why are they trying to trick me?’” he outlined.
Graham-Cumming agreed, stating that security personnel have to develop a good “bedside manner” in addition to having technical expertise. He said it’s vital to have a relationship with general staff “not just when things have gone bad,” which includes encouraging people to report any concerns they have, even if they turn out not to be security related. “It’s really about openness and honesty and treating people well so they respect what your job is and they feel like you’re somebody they can trust,” he explained.