How to strengthen the human element of cybersecurity

The best defense against cyberattacks is not technological cybersecurity solutions but the strengthening of the human element, Perry Carpenter—cybersecurity veteran, author and chief evangelist-security officer for KnowBe4, said.

Verizon’s Business 2022 data breach Investigations Report revealed that the human element continues to drive breaches, accounting for 82% of all attacks. And attacks are becoming more aggressive, with ransomware jumping 13% in 24 months, a surge higher than the past five years combined.

“As we continue to accelerate toward an increasingly digitized world, effective technological solutions, strong security frameworks, and an increased focus on education will all play their part in ensuring that businesses remain secure and customers protected,” Hans Vestberg CEO and Chairman, Verizon said.

Verizon’ report exposes the cost of human influence. “People remain—by far—the weakest link in an organization’s cybersecurity defenses,” the company says.

KnowBe4, a security awareness training and simulated phishing platform, recently released a resource kit designed to help IT and Infosec professionals improve their human element of security. The organization said that IT professionals are still challenged when it comes to creating a security awareness program.

Carpenter, in contact with TechRepublic, shared the human security lessons he has learned over the past years. He warns that while rising cybersecurity statistics are of great concern, companies should look beyond them.

“Unfortunately, knowing about cybersecurity threats is only half the battle. Doing something about them—and, more importantly, doing something to prevent them—is where you really should be spending your time,” Carpenter said. He explained that even those engaged in security awareness efforts suffer from a fatal flaw: The knowledge-intention-behavior gap. 

SEE: Mobile device security policy (TechRepublic Premium)

The knowledge-intention-behavior gap

“Just because your team members are aware of something doesn’t mean they will care,” Carpenter said. The knowledge-intention-behavior gap explains why breaches continue to rise despite the investments companies make in building strong cybersecurity awareness programs for all workers.

According to Carpenter, workers may be aware of the threats and risks, how they work and what they need to do to avoid them, but still fail to take the necessary actions to keep the company safe.

To revert this situation, companies must close the gaps between knowledge and intention to encourage correct behaviors among their workforces. This requires an approach that the highly technical cybersecurity industry struggles with—working with human nature.

Working with human nature

Effective cybersecurity programs work with human nature because cybercriminal organizations have become experts in manipulating it. Leaders may be asking themselves why, if their workers are informed, are they falling for all sorts of scams and phishing campaigns?

The answer, according to Carpenter, has nothing to do with how smart employees are. The most successful techniques to breach a system do not depend on sophisticated malware but on how they manipulate human emotions. Attackers are leveraging natural curiosity, impulsiveness, ambition and empathy.

Another method is the old marketing technique of offering things for free. Clickbait bulk ad campaigns can be incredibly effective and for cybercriminals, they are gateways to download malware and ransomware. They will promise cash, investment opportunities or just a free car wash, knowing that it is very difficult for humans to resist a seemingly harmless and attractive offer.

Another rising trend manipulates human empathy. In 2020, the FBI warned about emerging fraud schemes related to COVID-19, and in May 2022, the FBI’s Internet Crime Complaint Center IC3 alerted that scammers were posing as Ukrainian entities requesting donations. Criminals will stop at nothing and use humanitarian crises or post-natural disaster events to fabricate social engineering attacks.

Cybercriminals are also creating highly personalized attacks using employee information they obtain through social media and online sites. Additionally, knowing that an employer responds to a manager, HR, or a company’s CEO, they will leverage that relationship and impersonate people of authority within the organization. “They send fake messages from the CEO with instructions to wire funds to a bogus supplier account or trick employees into other fraudulent business email compromise (BEC) schemes,” Carpenter said.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Communication, behavior and culture management

Carpenter explained that companies should provide continual security training for their employees in three areas:

• Communication
• Behavior
• Culture management

He shared with TechRepublic key points leaders can use to build lessons for each section.

Communication lessons

• Understand your audience and what they value.
• Capture people’s attention and connect with emotion: making your messaging compelling. Don’t just share facts but use stories and examples to connect.
• Have a clear call to action: tell your teams, specifically, what they need to do.

Behavior lessons

• Recognize the knowledge-intention-behavior gap as a reality that affects any behavior you hope to encourage or discourage. Your team members may have the knowledge they need and the best intentions, but your goal is to ultimately impact their behaviors.
• People aren’t rational. We need to help them with prompts, tools, and processes that make behaviors easier and feel more natural.
• Place tools and training as close to the point of behavior as possible.

Culture management lessons

• Understand your culture as it currently exists using culture measurement surveys, focus groups, observation, and more.
• Identify potential “culture carriers” who are equipped and empowered to help support the mindset and behaviors you wish to see exhibited across your entire team.
• Design structures, pressures, rewards, and rituals that will be ongoing and address the unique differences between various groups.

EPM and phishing simulations

In 2021, IBM revealed that an endpoint attack’s average cost is of $4.27 million. As hybrid work models become the norm and the attack surface expands with millions of new devices connected outside corporate networks, cybersecurity solutions like Endpoint Privilege Management (EPM) and phishing simulations level up to respond to the security gaps.

Accenture recently highlighted how EPMs could enable users to efficiently and securely perform their work without risking breaches. EPMs give endpoints a minimum set of privileges removing administrative rights from users’ base and controlling which apps are allowed to run. “Only vetted, trusted applications are allowed to run, and they do so with the lowest possible set of privileges,” Accenture explains.

Another security tool that is becoming increasingly critical to identify vulnerabilities of the human element and strengthen the gaps while educating users is phishing simulations. IT teams simulate phishing campaigns in phishing simulations to visualize how workers respond. This allows teams to test their security posture, identify weak spots and learn from simulations.

“Even when you’ve achieved transformational results, your journey is seldom over. Bad actors will continue to find innovative ways of thwarting our best efforts. Your response will be to constantly adapt and commit to a process of continual improvement,” Carpenter said.