“I really enjoyed our cybersecurity self-training today, and really plan to change my behavior as a result of it” said just about no one anywhere, ever. And yet, when the topic of the “human factor in cyber breaches” is discussed in any forum, recommendations always revert to the mean (and the cliche’): cybersecurity training. Driven by compliance requirements and the need to check that box, coupled with a sea of cyber awareness training companies armed with cherry-picked statistics about the efficacy of awareness training, the call for cybersecurity training has become so ubiquitous that it’s become a caricature of itself.
And yet the pace of successful attacks continues to accelerate, the cost of breaches increases, and employees continue to click on phishing emails. Does this mean we should stop conducting cyber awareness training? Of course not. It can’t hurt, and can certainly help. But the good guys only have to be wrong once, and the bad guys can flood an organization with thousands of phishing emails and need only one or two to be clicked on. No amount of security awareness training can stop them all.
Without question, the “human factor” in cybersecurity has become synonymous with phishing attacks, but that perception is a material part of the problem. Successful phishing attacks and insider threat episodes make for good TV, but don’t necessarily reflect more subtle, and more consequential human-based challenges. Many times, for example, data losses or credential theft is the result not of an employee “tricked” into clicking on a bad link or the deliberate behavior of an employee upset with their latest raise, but rather a misconfigured server set up by an overworked IT team member who wasn’t properly trained. Sometimes, devices are installed on large networks ostensibly temporarily, but are lost in the constant stream of day-to-day fire drills and never removed. Indeed, many IT professionals will tell you that one of their biggest challenges is “simply” identifying and accounting for all the devices on their network at any given time.
An even more obscure example of the cybersecurity “human factor” is in vulnerability management, and specifically the remediation of vulnerabilities. Many breaches (some estimate more than 60%) are attributable to an unpatched vulnerability, and not the sexy “zero-day” variety, but rather those that have been identified and a patch made available for months or years. Why haven’t they been patched? The top reason typically given is either lack of resources or fear of disrupting the network. Unlike years past, today, more than 98% of patches are never rolled back, meaning less than 2% cause disruption. Yet, a somewhat irrational fear of disruption prevents a more aggressive patching cadence, and enables unnecessary exposure to attack. Again, this is another overlooked “human factor” in cybersecurity.
Thus, many of the human factors contributing to cybersecurity breaches can’t be helped by forcing employees to watch animated videos and take a multiple-choice test afterward every 6 months. But awareness training provides two benefits that executive management can’t get enough of: it checks compliance boxes and covers their asses. It’s difficult to explain to the press or the BoD that the $20MM breach recovery cost and brand hit was the result of a vulnerability unpatched for 18 months, or a new IT employee misconfiguring a server. It’s infinitely more palatable to report that it was the result of a careless employee clicking on a bad link even after they completed their mandatory awareness training. “We did everything we were required to do, and we were still victimized by cyber criminals.”
It’s a common refrain in the world of addiction recovery that the first step is admitting you have a problem. In the cybersecurity world, and specifically with regard to the human factor, the first step is to admit that the problem can’t be solved solely with awareness training. The people responsible for the network’s operation, and those responsible for its protection, are also humans. They make mistakes, don’t have enough time in the day, and are typically unappreciated until something goes wrong. Enterprise leaders would do well to ask them what they need to prepare their organizations to prevent attacks… and then give them what they ask for.