Organisations often lean on the ‘People, Process, and Technology’ (PPT) framework as a way of demarcating value streams and driving action. When managed well, the triad works in unison to ensure a comprehensive and layered approach to defence. But what happens when one pillar is weaker than the others?
Human risk is incurred by the compromising behaviours of those inside the organisation, both accidental and purposeful. This risk is realised in various ways, from data leakage and operational inefficiencies, to blackmail, fraud, and ransomware. The Verizon 2023 Data Breach Investigations Report found that ‘74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering’.
It also reported that phishing fell into the top three breach methods, reinforcing the need for dedicated efforts to help combat the impact and likelihood of an incident. Opting for yearly training often misses the mark; seen as a chore, or a tick-box compliance exercise, it fails to equip staff with the skills and knowledge to build a healthy security culture.
So where does human risk come from, and how can it be managed? More importantly, how can the workforce be empowered to become an asset rather than a liability?
Understanding Behaviours: Where Does Human Risk Originate?
The sources of human risk are numerous and complex, based on company culture, individual disposition, and immediate circumstances.
- Curiosity and Impulse. Where users are curious without restraint, risk is induced through impulsive engagement with harmful content or processes. This may manifest as a user thoughtlessly clicking on an email link, or through the implementation of shadow IT.
- Trust and Comfort. Desire to see the best in everyone may lead users to blindly bestow trust upon dishonest entities. Gaining trust is a core requirement of a social engineering attack, enabling exploitation based on an established but disingenuous relationship.
- Lack of Education and Awareness. If users are not taught how to combat threats, they cannot be expected to enact best-practices. A one-size-fits-all training approach means teams often struggle to see how security relates to them, leaving holes in knowledge application and risk perception.
- Culture and Behaviours. In our fast-paced digital world, jobs are made harder by the demand for efficiency and constant availability. Increased pressure may drive employees to cut corners or mis-perform processes to meet deadlines.
Often there is no malicious intent in the incurrence of human risk. To better understand potential causes, an organisation needs to consider the following within the context of its own operations:
- What makes the workforce act the way they do? What pressures are applied (both overtly and through subtext) by the organisation’s culture?
- Who (and what) do employees inherently trust?
- What challenges do staff face in their roles that lead them to seek workarounds?
- Do employees have enough knowledge to react to events with security in mind?
- How does interaction with risk and security differ depending on the role employees perform?
- How is security perceived and acted upon at different management levels within the organisation?
Know the Team: Understanding Risk Profiles Across the Workforce
Risk profiles cannot be applied unanimously to every individual or team. Whatever the organisation’s culture, it is imperative that security processes are built to work with it, not struggle against it – even if this means adapting security training for different regions, teams, or management levels.
- Department Function. Each function interacts differently with the company’s value streams and processes, inviting different forms of risk exposure. It is unlikely that warehouse workers will incur the same risks as developers working on ERP systems, or finance teams working with vendor payments.
- Seniority and Hierarchy. In a culture that favours hierarchy and formality, more junior employees may struggle to speak out or ‘go over the heads’ of their managers to raise issues. Managers may also take different approaches, driving a fractured response.
Where to Start: Building a Human Risk Response
Mitigating human risk requires a strong security culture instilled across every level of the business – from C-Suite to factory floor workers. So where to start?
- Understand Risk
Implementing policy or training without a baseline will result in wasted investment. It is important to first understand the business drivers, critical assets, and risk profile – from here training that will best suit the business and recognise any gaps that expose it to human vulnerabilities can be identified. This also helps identify areas that are already protected, to prevent over-investment in departments requiring less attention.
- Tailor Training
Identify the different training requirements for each department based on their role and exposure to risk. A ‘one-size-fits-all’ approach does not work when everyone has such vastly different responsibilities. Embrace different forms of training, from subject-specific sessions to micro-training opportunities; in each case making sure to tailor it to the users to be engaged.
- Engage with Training Results
Engage with the data resulting from training, and tailor approaches based on the gaps identified in previous teaching rounds.
Training activities are only as good as the impression they make on employees: tracking the number who complete the training is not the same as measuring who has understood and implemented their learning. Training should be sustainable, with measurable outcomes and follow-up plans for those who need further assistance.
- People add Value, not Vulnerability
Employees tend to know workplace processes better than anyone. Given the correct support, they are perfectly placed to identify warning signs of compromise, report them, and support recovery activities. This requires an open and supportive culture, in which employees feel able to safely report incidents without fear of repercussions.
Conclusion: Avoid Tick-box Training and Compliance Activities
Ultimately, there needs to be a move away from tick-box compliance activities towards a more robust and integrated approach to training and controls. Instilling a strong security culture across every tier of the organisation requires understanding of what drives employee action, alongside how this differs between functions and leaders.
Without considered and purposeful training, an enterprise is under-equipping and under-valuing the ability of its workforce to combat human risk. Instead, organisations should facilitate learning opportunities that best suit their people, enabling them to work alongside technology and processes to protect their critical assets.
Author: Becky Gelder, risk consultant, Turnkey Consulting