The human element in cyber risk

Wednesday, 15 November, 2023

decorative: group of people working together on a monitor and whiteboard with post it notes

According to research by security firm Tessian and Professor Jeff Hancock, 88%** of data breaches take place due to employee errors. People make mistakes, and those mistakes account for plenty of cyber incidents. That doesn’t mean your employees are liabilities. Far from it: they’re an essential part of your fight against cyber threats.

Empower through knowledge

The most important element in cyber security is knowledge. Teach your employees about best practices, password security, compliance and other cyber knowledge, and they transform from mere tech users into vigilant guardians of digital assets. Successfully trained employees will be able to:

  • recognise and report suspicious activities
  • safeguard sensitive data
  • actively contribute to an organisation’s cyber security and its practices

Create a culture of security

A positive security culture can make a huge impact within an organisation. You can bring about big changes when employees understand that cyber security is not just a set of boring rules, a punishment waiting to happen or a hindrance to daily tasks – but a shared responsibility. They get to feel a sense of collective ownership for digital safety, and take pride in protecting the digital assets.

Here are few reasons why a culture of security matters:

Collective responsibility

Protecting the organisation’s digital assets on the ground shouldn’t just fall on the IT team, it’s goes across the board, as an organisation’s Information Security Policy (ISP) usually applies to everyone in the organisation. Having a thorough ISP with defined roles and responsibilities allows employees to understand their contribution to helping keep assets secure.

Proactive vigilance

Instead of waiting for security incidents to happen, teams with a security focused culture tend to proactively look out for potential threats. They become the first line of defence by spotting and reporting suspicious activities promptly. This happens in different ways, including simply forwarding suspicious emails onto the organisation’s security team to do checks, or carrying out regular phishing awareness training. Instead of relying on the IT department to filter out phishing emails, employees are encouraged to stay vigilant and report anything suspicious. This not only helps out the IT department, but also helps identify and tackle potential threats faster.

Open communication

Encouraging open conversations and easy information sharing within the organisation helps employees feel comfortable reporting cyber risks, discussing concerns, and actively participating in cyber training. This helps to create an environment of trust and collaboration, alongside fostering a sense of shared responsibility in protecting digital assets across the organisation. It’s good when employees feel able to freely discuss suspicious emails they receive, or report potential breaches, without fear of repercussion. Open communication builds trust.

Continuous learning

A positive culture helps to encourage employees to stay informed about evolving cyber threats and best practices, ensuring their cyber security knowledge is up to date. Encourage team members to participate in training sessions, and make informative resources readily accessible, so that they can continually enhance their cybersecurity knowledge. Spread the word via your intranet, internal newsletters, or blog posts. Make it easy for people to keep learning. There’s more insight on this in Lucia’s article: Staying true to your policies and standards.

Create proactive defenders

None of these ideas are particularly radical, or hard to implement. As a leader, your most important task is to enable them to happen. That means communicating your expectations, and allowing team members to take the time they need to be vigilant, to keep communicating, and to keep learning.

_** Shortly after publishing this article, the original report was reuploaded with a new data focus. This report ommitted this figure used, however we have been able to corroborate the conclusions of the original report from other sources._

Headline photo by Jason Goodman on Unsplash