The 2022 Verizon Data Breach Investigations Report (DBIR) was released recently and highlighted some of the cybersecurity trends the industry has seen year after year. One of those trends which seems to be gaining more attention in the industry is the “Human Element.” The report found that 82% of breaches involve the human element, making human risk the biggest risk factor for organizations. More importantly, the DBIR surveys indicate that just 2.9% of users are causing most incidents. The report stresses that organizations should find ways to identify those specific users and mitigate that risk. Understanding who this small percentage are can exponentially increase an organization’s effectiveness in reducing risk.
Humans (users) as designed are not perfect. We behave in various ways, good and bad, intentional and unintentional, forgetful, and so on and so forth. We all miss meetings, forget to turn out the lights, make mistakes. The same goes for users in the workplace; some users will click bad links, open malicious documents, surf nefarious websites, and cause security incidents.
A recent study from the Cyentia Institute on workforce risk came to a similar conclusion as the DBIR, finding just 4% of a company’s internal users responsible for 80% of phishing incidents, and only 3% to blame for 92% of malware incidents. Understanding who this small percentage are can exponentially increase an organization’s effectiveness in reducing risk. CISOs that are part of the process of conducting a Security Risk Assessment for their organization will typically utilize a security framework and controls to measure the risk rating and maturity of their cybersecurity program. A Security Risk Assessment should incorporate People, Processes, and Technology. All three of these concepts are vital for the success of your overall cybersecurity strategy.
Security Awareness and Training (SAT) is becoming a smaller part of the fight against preventing human risk. Yes, most compliance frameworks require annual security awareness training for an organization to remain compliant. So, these security awareness videos and materials should still be used; but they are certainly not the solution to the human risk problem. Forrester’s latest Security Awareness & Training report recognized that the fundamental problem in protecting users stems from understanding who in your organization is risky and why they are risky. This insight is simply not available through the traditional Awareness and Training approach.
Organizations have a plethora of security and application tool logs and metadata about their users. Many feed this data into a SIEM or their 3rd party MSSP to monitor security events, attacks, and possible breaches, among other anomalous activities. This has been the norm, from an offensive stance of maintaining the status quo on “detect, respond and recover,” also mandated by many compliance frameworks.
Organizations and their CISOs need to take a balanced approach to their overall security strategy, move beyond the status quo, and include a proactive approach that includes tactical and strategic measures to address all risks in the workplace. From a NIST Cybersecurity Framework (CSF) perspective, most organizations have “Detect, Respond and Recover” down pat, but they are lacking on the “Identify and Protect.” As part of that balanced approach, it’s important to identify all risks, quantify those risks, and build guardrails to prevent your next incident.
Human risk needs to play an integral part in your overall security strategy. Many of those technology and application logs previously mentioned, have the answers you are looking for when addressing human risk, including who is most likely to cause the next incident, who has a high level of access that could cause a devastating loss to the business, what is the attack ability level of your users, and which of those might expose data. All of these are tough questions to answer, but using data you already gather can help you find out these answers and identify that small percentage of users that put your organization most at risk. Then you will be on your way to start solving human risk in your organization.