Recently, there was a debate on our audit team regarding the increased amount of cybercrime during the pandemic and the best ways to handle it. One of our team members determined that one of the elements that is most overlooked when auditing for cyberthreats is the human element.
In some of the most successful attacks, threat actors exploit human laziness and fallibility. The COVID-19 pandemic also added to the risk involved with the human element as it completely altered the work environment everywhere. The question is what can an organization do to keep itself secure from cyberattacks as their employees split tasks between the office and their homes or stay home altogether?
Many people believe that throwing technology at a challenge can solve it. In this case, implementing process automation, including the use of AI-based technology, can help eliminate the often-unreliable human component, resulting in more effective and consistent IT operations. But this does not always solve the problem. An organization's networks and data will not be secure unless individuals obey clear, well-defined security policies and practices, and participate in routine cybersecurity training and exercises.
Some ways to overcome the human error in cyberspace include:
- Social engineering awareness—Creating social engineering awareness among all the employees has become crucial.
- Vendor security—It is critical for organizations to know how safe the outside vendors they partner with are, especially in regard to cybersecurity.
- Change detection software—Change detection software can be used to restore unwelcome modifications to their original state without any downtime.
- Periodic audits and analysis—Periodic audits of critical areas and analysis of these reports goes a long way in securing the organization.
Several best practices that help minimize the risk of human error and automation include:
- Organizations should ensure that all critical areas have implemented digital forensics and periodic assessment of the digital forensic readiness is carried out.
- Organizations should allocate at least 5 percent of their annual IT budget to improve defense mechanisms from cyberthreats and to ensure they have the necessary equipment. Effective security is less expensive than the cost of a data breach.
- Organizations should conduct periodic planning of information security implementation and stick to the plan.
- All key stakeholders should be educated about the protection of personally identifiable information (PII) data and financial data, and made aware of how to prevent phishing attacks.
- All remote access should route through privileged identity management solution (PIMS) and be logged.
- Organizations should control, track and review who has access to what data and ensure that each employee has their own unique password that they do not share with anyone else.
- Organizations should set up a multifactor security policy and a strict password policy for all applications.
The future of the cybersecurity world requires in-depth research and understanding of the human mind. The human-centric cybersecurity framework puts people at the center of the integration of cybersecurity and information security practices, design elements and technologies to reduce behavioral risk in light of biopsychiatric and social efforts.
Practical suggestions to defend against the threats arising out of the human element of cybersecurity include:
- Identifying and removing insider threats
- Creating a user environment that mitigates human error
- Anticipating and mitigating user-initiated loss periodically
- Providing the proper tools for employees to use strong passwords, enable two-factor authentication, use email filters and easily report threats and errors
- Providing practical, engaging and motivational training periodically to all employees involved in critical processes
- Ensuring there is a kill switch for all critical areas
Like any other risk, the human risk cannot be completely eliminated, but organizations can aim to minimize it as much as possibly by being aware and following best practices.
Editor’s note: For further insights on this topic, read Gopikrishna Butaka’s recent Journal article, “Is Cyberspace Secure From Humans?” ISACA Journal, volume 5, 2021.
ISACA Journal Turns 50 This Year! Celebrate with us—and don’t forget you can still receive the print copy by visiting your preference center and opting in!