Today’s organizations understand the value of embracing technology and connectivity in almost every aspect of the business. But, just as businesses have woken up to digital, so have cybercriminals. Every new piece of technology, every application, every remote worker, and every device introduces new complexity to the security equation and offers a new opportunity for attackers. Even though cybersecurity spending is at an all-time high ($172 billion in 2022), businesses still appear to be playing catch-up when it comes to defense mechanisms. The time has come for cybersecurity strategy to evolve from being technology-centric to people-centric. There are three main reasons for this:

1. Human Error Is Main Cause of Cyberattacks

Studies show that human error accounts for nearly 95% of all cybersecurity incidents. These unintended actions can have major ramifications on the security posture of a business. Common errors include actions such as responding to a phishing email, downloading a malicious attachment, risky browsing behavior, poor password practices, misconfiguration of security controls, poor systems patching, not adhering to security policies and procedures, and not assessing third-party security controls, etc. What’s more, analysts predict that the increase in the amount of technology adoption will give rise to even more security maintenance issues, misconfigurations and human errors. An organization that places an intentional focus on reducing human errors through regular training and awareness will be less likely to commit errors or fall for phishing bait. 

2. Security Teams Will Always Be Understaffed

In the wake of rising cyberattacks, organizations increasingly face internal resourcing and budget concerns that are difficult to overcome; 39% of Chief Executive Officers (CEOs) agree they have inadequate budgets to ensure cybersecurity. There is also an acute shortage of cybersecurity talent based on current demand. The industry needs to grow 65% faster to effectively defend an organization’s critical assets. What’s more, the rapid pace at which technology is evolving as the security approaches implemented today quickly become outdated. The only way organizations can address resource and infrastructure constraints is by making employees an extended arm of the security team while the business tries to balance growth, resourcing and safety. 

3. People are the Ultimate Security Perimeter

Businesses are increasingly operating in a remote and distributed work environment. Organizations are used to outsourcing key functions to third-party partners to scale operations. They are also storing data on the public cloud and investing in SaaS applications that have altered how people share information and collaborate. Traditional security controls that were designed around the organization’s perimeter are no longer relevant. The attack surface is so enormous that organizations do not have enough coverage. Technology often does a decent job when it comes to responding and defending against known cyberattacks but would still benefit from stopping an attack much earlier in the “kill chain.” If workers are able to spot and report suspicious activity early in the lifecycle of a cyberattack, organizations will be better equipped to defend against evolving and unforeseen threats.

How Can Organizations Implement People-Centric Security?

According to ThoughtLab research, organizations that develop people-centric security see fewer breaches and better breach detection and response times. Here are the key steps the research recommends:

1. Assess staff reflexes, behaviors, and patterns: Create a baseline assessment of the current state of reflexes, behaviors and patterns in workers. Historical datasets, risk assessment results, user behavior analytics, phishing simulation results, and suspicious activities reported by employees are examples of quantitative sources that organizations can leverage to study their current security posture. 
2. Create a culture attuned to cybersecurity values and risks: Position cybersecurity as one of the key pillars of the value system in the organization. Identify key business leaders and other influencers in the business and ensure they walk the talk and set the right example for their teams. Avoid a culture of blame and shaming because this will discourage users from reporting incidents; instead, make them feel valued for acting with authenticity and without fear of reprisal. 
3. Build more effective cybersecurity awareness training: Employee engagement is an important aspect of training. Simulation tests, contests, gamification, and tabletop exercises can be extremely effective in comparison to dull and monotonous classroom training. Employees have different levels of security maturity, so it’s always a good idea to tailor courses based on departments, security skills and interests. Try keeping content in digestible doses to make it more palatable and frequent so your employees develop muscle memory.
4. Recruit, upskill and retain security specialists: Thoughtlab studies show businesses that invest resources in recruiting, advancing, and maintaining cybersecurity specialists see fewer breaches and faster detection rates versus other businesses that do not value engaging and retaining security specialists. Organizations have a duty to ensure that all users are cyber aware; the higher the employee turnover, the wider the window of opportunity for attackers to take advantage.
5. Ensure proper staffing on security teams: Lack of staffing is directly proportional to higher risk and greater human error via missed alerts, disengaged employees, security misconfigurations, reduced monitoring, unpatched systems, and burnout. Create the environment for vulnerabilities to thrive, and attackers will flourish. 

Remember that people don’t have to be the weakest link in the security chain. With the right tools, awareness and training, they can be your strongest defensive layer. Even the smallest steps organizations take today to make security people-centric can result in large gains for cybersecurity resilience in the long run.