Protection investments and the human factors
Companies invest fortunes in protecting themselves against the latest malware, botnets, and ransomware, buying the most sophisticated cybersecurity solutions in the market. That is necessary but it is not sufficient, therefore, it is not the most adequate investment. Statistics show that the biggest threat to companies’ information systems is human factors. Verizon’s 2022 Data Breach Investigations Report (https://www.verizon.com/business/resources/reports/dbir/) shows that “82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse”. The report also shows that “62% of incidents in the System Intrusion pattern involved threat actors compromising partners”. Humans are the app that is the hardest to upgrade and the slowest to update when it comes to cybersecurity protection. It takes continuous awareness training and organizational culture change to reduce the human factors’ risk. In this domain, the benefits are worth the investment.
Awareness Training
Human factors are involved across all the layers of protection in the organization. It can be the first layer of defense and it can also be the very last one. Investing in the training of the employees, which can be less than 20% of the information security protection effort and budget helps the organization address more than 80% of the cybersecurity problems. Falling for a phishing attack, failing to follow the password policy, or revealing sensitive information to non-authorized parties are just examples of problem sources that can be easily avoided by the means of awareness training.
Insider threats
Understanding the roots and the motivation behind the internal threats helps the organization in preparing for the protection plan. The CISA (https://www.cisa.gov/defining-insider-threats) identifies three types of insider threats; the first one is unintentional threats, which cause a risk to the organization either by negligence or by accident. The second one is intentional threats, which are motivated by personal interest or personal grievance. The third one is the collusive and third-party threats. The organization’s protection measures will not be efficient unless they address every one of these categories.