By Stu Sjouwerman, CEO, KnowBe4
It probably won’t come as a surprise that most cybersecurity incidents start with someone making a mistake. In fact, 88% of data breaches are caused by human error, according to recent Stanford University research. The big question is: what can you do about it? It may be tempting to take punitive action, but that can worsen the problem as employees become reluctant to admit suspected mistakes.
While there are some proactive ways to help reduce the effectiveness of things like phishing emails and to tighten your security standards, it’s important to analyze the reasons people sometimes click. Work culture, distractions, and stress all play a part. By training your staff, working to mitigate common triggers, and fostering a supportive culture, you will reduce errors.
You will also boost your chances of identifying breaches swiftly so you can shut them down.
Mistakes are inevitable
Everyone makes mistakes from time to time, but not everyone admits those errors. The Stanford survey found that 43% of employees were “very” or “pretty” certain they had made a mistake that caused security issues. Interestingly, younger employees are more likely to admit to a mistake. Fear of repercussions and shame prevent many people from reporting errors, which is a real cause for concern.
Smart attackers are patient. They infect systems, camp out and observe, gathering intelligence to find the best way to exfiltrate data or extort money. Once inside your network, they can usually find ways to spread laterally. The average time to identify and contain a breach is 280 days, according to IBM. Generally, the longer it takes to find a breach, the more difficult and expensive it is to fix.
Because reducing the time it takes to identify a breach is so important, organizations must work to encourage employees to report mistakes. Remove the sense of shame, allow people to move on swiftly and without punishment if they report errors quickly. It may seem counterintuitive but punishing transgressors can lead to far greater damage in the long term if errors are concealed.
Review controls and procedures
It’s always worth revisiting the controls and procedures you have in place to maintain cybersecurity. That means enforcing strong passwords, limiting access to systems and files, mapping endpoints, employing multi-factor authentication, and verifying certain processes, such as cash transfers.
By enforcing some simple procedures, you can prevent or dramatically reduce the potential impact of a breach. Phishing emails that appear to come from senior execs or HR departments are very common, so verify wire transfers over a certain amount or requests for sensitive data with in-person visits or phone call confirmations.
Security awareness training must be engaging
A regular program of security awareness training is crucial, but there are a couple of common pitfalls that can reduce its impact and make it seem like a chore or punishment. Firstly, training can be fun; it doesn’t have to be dry and serious. In fact, it you make it engaging it will be far more effective and likely to stick. Include elements of gamification and reward to hook people.
Secondly, try to tailor the training to the employee. Don’t make people attend training with modules or elements that don’t relate to their role. It has to be relevant or they will understandably tune out. There should also be levels of training that people progress through, and regular tests that measure their progress and highlight those in need of more in-depth education.
Present it as a puzzle for people to solve, or a challenge to overcome. Don’t shame people who perform poorly and don’t frame it as a failure to understand. This is especially important for less tech savvy employees. You want an environment where there are no dumb questions and people feel relaxed enough to ask whatever occurs.
Consider support, contextual warnings, and feedback
Everyone feels under pressure sometimes. Everyone has days when they’re tired. Everyone makes mistakes when they are distracted. All of these triggers have been exacerbated by the pandemic and the shift to remote working. Employers must try to support people to take time out when they need to and establish a barrier between their work and personal lives.
Training can be reinforced in subtle ways through contextual reminders. If a link or a file may be suspect, that can be flagged by an email program. Remind people to check URLs, hover over links before clicking, and to be suspicious of attachments. It’s a good idea to make reporting issues like a suspected phishing email as easy as possible, so include a report button right there in the email program.
A key element of encouraging the behavior you want to see is ensuring that you give people feedback. If someone clicks that report button on a suspected phishing email, make sure you tell them whether they were right. If you don’t give feedback, not only are they left uncertain about whether it was a scam, but they might just decide not to bother reporting it the next time.
Just as bad actors are adept at exploiting human error, we need to get better at encouraging and modeling desirable cybersecurity behavior. Through patient persistence, tailored training, and plenty of well-meaning feedback, you can reduce the number of human errors and soften the impact of the mistakes that do occur.
About the Author
Stu Sjouwerman is founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with over 35,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. Stu is the author of four books, his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at [email protected].