Despite the best efforts of IT, security, risk and HR teams, humans remain the weakest link in organisational cyber security − and even ongoing training and awareness programmes are failing.
According to Mimecast’s international “The State of E-mail & Collaboration Security Report 2024”, most cyber breaches still occur due to the human element. This is despite the fact that more than half of organisations provide regular, ongoing cyber awareness training.
The research found that more than two-thirds of respondents believe employees put their organisations at risk through the misuse of e-mail, oversharing of company information on social media and careless web browsing.
In South Africa, we see the same trends: most organisations − small and large − offer cyber security awareness training monthly, yet the human element remains fallible.
One reason for this ongoing vulnerability may be the increasing sophistication of cyber attacks. Malicious actors have become adept at bypassing traditional controls and are now also harnessing artificial intelligence (AI) and generative AI to make their phishing and vishing attempts far more convincing.
Users under pressure to get their work done are not well equipped to identify a well-crafted phishing attack. They need more advanced tools and techniques to help them identify suspicious links and phishing attacks.
Most organisations − small and large − offer cyber security awareness training monthly, yet the human element remains fallible.
Importantly, most cyber security awareness and training programmes are fairly static, and a one-size-fits-all ‘vanilla’ flavour. The content isn’t necessarily relevant to all roles and all situations, and continuously repeat the same generic warnings can lead to ‘training fatigue’.
Automated human risk management (HRM) solutions with embedded AI offer a more advanced and dynamic approach to training, as the next layer of defence to mitigate human risk.
HRM, which came to market fairly recently, is gaining traction as organisations look into how it can be incorporated into their security practices.
Applied to individual users and their roles, HRM understands what tools they use, how they transfer data from point A to point B, and the overarching policies related to their roles and business tools.
When anomalies occur, HRM kicks in to flag the risks of this behaviour to the individual, creating more impactful point in time training, with audit logs and dashboards in the backend to inform future training and awareness strategies.
Advanced HRM offers new levels of visibility into organisational risk profiles, allowing security teams to identify the riskiest areas of the employee base, and step-up education and awareness to combat these risks. Security can also tailor controls based on individualised risk insights.
HRM software can help reduce the risk of collaboration attacks, human error and insider threats, flagging even hard-to-spot phishing and spoofing attacks. For example, if a user receives an e-mail that appears legitimate, is well crafted and aligns to their job function, they might find it believable.
But the AI-enabled system will go on the alert because the mail is the first to come from this particular e-mail address. It will check whether the sender communicates with others in the organisation, and whether they have been flagged in broader communities, and it will create a risk score based on this information.
HRM solutions are relatively simple to integrate into established governance, risk and compliance policies, standards and procedures.
The shared laptop challenge
Unfortunately, one form of insider threat remains a key challenge. Employees with escalation rights and access to company information often share their company laptops with people at home.
Because of this, we see unauthorised users visiting risky sites, resulting in the device becoming compromised and potentially giving attackers the ability to mirror the laptop. Users also tend to forget that their cellphones have company collateral and information, and are therefore vulnerable.
It is very important to address this risk behaviour; however, security teams still grapple with the issue. Despite policies, procedures and consequences, people find ways to bypass them and still allow their children to use their laptops to do homework, or their friends to browse online with their devices.
There are systems available to block access to sites, but many organisations need to balance productivity with security and don't want to lock down devices completely. Their employees may need to do research online, access Gmail, view educational videos on YouTube, or open external productivity tools − so this remains a grey area and a challenge.
In my next article, I will address human risk as it relates to e-mail-based attacks, and how organisations can reduce financial losses and prevent reputational damage with domain-based message authentication, reporting and conformance.
Share