Why the human factor matters in cybersecurity – and how to deal with it

Corporate IT infrastructure has become incredibly complex. The intricacy brought about by digitalisation in recent years has now been exacerbated by the pandemic and its impact on society – think of the enormous spike in online services, remote workers, virtual collaboration and connected devices, with all the challenges they create.

This is naturally reflected in the cybersecurity threatscape. Even pre-Covid, businesses were battling fiercer attacks on their environments, and the current circumstances certainly haven’t made things easier.

Risks, however, don’t simply revolve around devices and security solutions. There’s another important element to keeping hackers out, and that is ensuring employees are familiar with potential security threats and on board with recommended processes to help thwart them.

Improving security isn’t something that companies can compromise on. Not only do cyberattacks disrupt productivity, tarnish brand reputation and damage customer trust, they also have more tangible consequences. The average cost of data breaches in the UAE and Saudi Arabia has risen by 9.4 per cent in the last year and the average cost of a breach in the region is $6.53m – higher than the global average.

At a time when resources are precious and companies are working hard to navigate the financial crisis, such losses can be catastrophic. So, companies need to find ways to integrate people, process and technology in a unified approach to security to protect their networks in today’s climate.

The importance of employee behaviour

While some believe information security (Infosec) teams are the gatekeepers for all things security, it is in fact all employees who play a crucial role in keeping an organisation safe. A recent Ponemon study reported that only 24 per cent of breaches in the region were due to system glitches, while 59 per cent were malicious attacks and 17 per cent were down to pure human error. However, most malicious attacks rely on some form of human interaction.

This explains why a core aspect of cybersecurity is actually represented by company-wide awareness and training: data from our own survey shows 36 per cent of IT leaders in EMEA consider employee security education one of the biggest future IT challenges. Of course, these practices have become fundamental in the age of work from home (WFH), where staff are working remotely, outside of office perimetres and far from the protection of their tech-savvy teammates.

As workers strive to maintain productivity and efficiency in the face of new challenges, such as using their own personal devices and home wifi connections to connect to the corporate network, it’s no wonder security isn’t top of their priorities. Instead they are focusing on the need to deploy whatever tools and applications are needed to ensure they can get the job done.

According to 35 per cent of IT decision makers, insider threats increased this year due to employee disengagement and over half of decision makers in IT agreed that WFH has made their companies more vulnerable due to insecure devices. And there’s more – 44 per cent of companies have seen an increase in phishing attacks this year.

It’s no secret that cybercriminals have been exploiting Covid-19 and sending fraudulent emails and texts to workers, to breach their organisations’ defences, so measures need to be put in place to prevent these incidents.

The value of a Zero Trust approach

While employee education and training are important, there are other measures companies can adopt. For example, taking a Zero Trust approach to security – not granting automatic privileges to any users on the network – can reinforce protection.

At a time when implicit trust is no longer safe, Zero Trust can help increase protection; in fact, nearly all of the digital leaders we surveyed said this architecture could help their business deal with the current global situation.

Specifically, it has the potential to mitigate threats like human error, as well as employee unawareness and disengagement.

Our data shows that 49 per cent of IT decision makers are considering a Zero Trust framework in order to prevent workers from compromising the system. Once again, technology alone isn’t enough: Zero Trust is not a plug-and-play product, it’s a mindset. In fact, nearly 30 per cent of professionals we surveyed said employee support is fundamental to embark on a Zero Trust journey, while 40 per cent believe the biggest obstacle to achieving it is the need for a culture shift. Employees should follow the ‘trust no one’ mantra in their day-to-day routines, to establish how to behave when targeted by a phishing attack, for instance.

In today’s cyber-threatscape, made more complex by fluid working, risks are lurking around every corner. With so many factors that can compromise infrastructure defences and lead to devastating consequences, relying solely on one tactic – be it security technology or employee training – simply isn’t safe.

Companies must apply an all-round, comprehensive approach, coupling technology that enables a Zero Trust security strategy, with employee awareness, to safeguard their networks in this new world.

Garth Braithwaite is the senior sales director, Middle East, Southern Africa and Russia at Gigamon