What it will actually take to reduce human error in cyber security

Humans are still the weakest link when it comes to cyber security, but preventing simple slip-ups means creating a workplace culture where employees are comfortable raising their security concerns, one expert shared.

Human error is consistently a major driver in cyber losses, accounting for 88% of all data breaches, according to Stanford Research. A study by IBM puts the number at 95%. 

“The biggest trend we’re seeing is called business email compromise,” Dan Elliott, principal, cyber security risk consulting at Zurich Canada shared with Canadian Underwriter at the RIMS Canada Conference. 

Business email compromise is a type of scam where a cyber attacker attempts to defraud a company, its employees or partners, by imitating the owner’s identity.  

The average employee receives tens, even hundreds, of emails each day, many of which might have links attached to them.

But not all of these links are legitimate. It can be easy for an employee to mindlessly open a link, especially if the email looks authentic, or like it’s coming from their boss.  

The threat worsens when a company doesn’t create a culture where employees feel comfortable questioning where an email may’ve originated from.  

Especially so, because employees underestimate the role they play in their companies’ cyber safety.

Thirty per cent said they don’t believe cyber criminals would target them at work, while 28% of respondents said their employer is solely responsible for their workplace’s cyber security, according to an IBC survey of Canadian employees of small and medium-sized businesses.  

“If [you’re] in finance, accounting or business operations, and you’re getting asked to do something that…could have a substantive change to your day-to-day activity, then there needs to be a culture of ‘okay to contact,’” Elliott said. 

“If your boss sends you a [suspicious] email, but you’re afraid to reach out because double-checking with them might offend them, that needs to change,” he said. “There needs to be a full security culture change within organizations to be able to beat these systems…”

For insurance companies or brokers who are trying to get the point across to their business leaders, using simplified language is key.  

“Start to use non-technical language to speak about these issues, so that when you’re engaging the business leaders to build that security culture, they’re not thinking ‘I don’t understand these acronyms, I don’t understand these terms, these are too complicated for me.’” 

For example, there’s an easier way to convey to business leaders what data exfiltration means. 

“It’s theft,” said Elliot. “You don’t have to say, ‘organization X exfiltrated 22 terabytes of data from us.’ You can say, ‘they stole 20,000 personal identifiable records from our customers.’”

Using the language that business leaders are fluent in can help them understand the scope of the crime they’re dealing with. It also means they’ll be better able to explain common missteps to their employees. 

“[Help] them understand cyber from a business lens, so that they can start to feel that they’re a part of the solution, rather than it’s an IT problem.” 

Feature image by iStock.com/kieferpix