Cybersecurity is not quite the frontier concern it once was, when the nascent Internet heralded both a golden age of communication and a new, unknowable set of risks for those that helped to pioneer it. It is well-trodden ground today, being the most important aspect of most business’ security preparations – the failure of which ultimately costs over $10 trillion globally each year (a number which grows by 15% year on year, to boot).
While cybersecurity is not a frontier subject, it is still something of a frontier. New technologies are born and adopted at lightning speed, and the complex digital security measures of yesteryear don’t quite meet the reality of an increasingly-complex present day. But for all the encryption and firewalling of clever internet security measures, there is one major vulnerability that has existed since day one, and continues to be a fundamental threat to digital security: people.
1) Why People Still Lie at the Heart of Cyber Risk
Cybercrime is often imagined as seasoned IT experts in figurative balaclavas, breaking into secure technologies and heisting valuable assets using lines of savant code – but the reality is far more banal, and far closer to home, than the fictions sold in Hollywood scripts. This is because it is actually human behaviour that leads to the vast majority of cyber incidents; your Hollywood hackers have more in common with Catch Me If You Can than with, well, Hackers.
Rather than exploiting tech vulnerabilities, cyber criminals instead exploit human error. Mistakes, misjudgements and social engineering techniques are weaponised to gain access to confidential records, valuable data and more.
2) The Psychology of Human Error and Social Engineering
But how exactly does this work? There are various methods used by criminals to exploit human vulnerabilities, but the most common amongst them is phishing – something you will have experienced or encountered at some point in your personal life, let alone your professional one. Phishing describes the digital impersonation of a trusted source or contact, in order to retrieve personal information like bank details or login data.
A phishing email may be formatted to look like a routine check-in from a bank, or an incidental email from an executive member of staff. These emails will ask for information, or direct recipients to a formal-looking web portal which harvests any data put in. These attempts are successful thanks to modern social-engineering tactics, which aim to exploit trust, cognitive biases and the stress of a timeline. Put simply: awareness alone isn’t enough to catch a social engineering attempt in progress. It’s the social contract working as it should, meaning behavioural approaches are necessary.
3) Building a Culture That Reduces Human Cyber Risk
As a business, then, it isn’t a matter of simply educating workers on the perils of phishing scams. Many organisations find that partner-based support such as managed IT services can help embed 24/7 oversight, structured risk behaviour analytics and training reinforcement at scale – but this requires a dedication to human risk management as business priority.
Human risk management, then, needs to be a structured approach that goes beyond basic awareness training, to measure, shape and reward secure behaviour long-term. Ongoing practice, tailored training, measurement and cultural reinforcement are all vital parts of this whole, and crucial to meeting a new generation of digital tech.
