In today’s increasingly digital world, cybersecurity safety is more important than ever. However, purely technological solutions to cybersecurity are bound to fail. Recent studies find that close to 90 percent of data breaches continue to be caused by human error. The reason for this is that many organizations’ security posture is failing to take into account human behavior. Cyber insurance companies can recommend several controls to their clients, including multi-factor authentication (MFA), endpoint detection and response (EDR), and immutable backups. However, organizations should not invest only in technologies to circumvent breaches. Protecting businesses from a data breach increasingly means focusing on changing user behavior. Since breaches are largely user-based, organizations need to invest in people. With the right awareness training, employees will be better equipped to deal with cybersecurity threats.
Organizations today face a security landscape that is more complex and dynamic than ever before. In response, many companies have turned to artificial intelligence (AI) and automated processes to bolster their security posture. While these technologies can certainly play a role in improving security, we believe that they should not be the focal point of an organization’s security strategy.
Taking human behavior into account
The reality is that the vast majority of security vulnerabilities are still caused by human error. Whether it’s clicking on a phishing email or failing to follow best practices, human behavior is often the weak link in an organization’s security chain. As such, we believe that organizations should focus on raising awareness and improving security behavior among their employees.
We’ve participated in several conferences and events dedicated to cybersecurity. The most recent of these was the 8th annual NetDiligence Cyber Risk Summit in Toronto this past week. We were thrilled to meet with industry leaders as well as cyber insurance professionals and others from the field. Several exchanges with prominent privacy liability and risk management thought leaders were also insightful. Emphasis was made on the importance of investing in robust security technologies. While we agree that good technologies and granular security controls are part of the solution, we argue that technology alone is not the appropriate response to a largely human problem.
Technology alone isn’t the answer to your security problems
Human users are vectors for a security vulnerability, but they are also the key to opportunity. The issue is so heavily user-driven that it would be foolish for organizations to invest disproportionately in AI and other technologies as a primary approach to address it. For this reason alone, we feel this is a great time for a shift in thinking. Rather than focusing solely on technology, we must also invest in security posture, phishing resistance, and user behavior best practices. Awareness must be raised at all levels of the organization to create a user base - and an enterprise - that is better equipped to deal with cybersecurity threats.
Creating a human-centered security strategy
Cybersecurity awareness measures are critical to ensure that organizations are prepared to face the challenges of the modern security landscape. By training employees on best practices and raising awareness about potential threats, businesses can better protect themselves from data breaches and other cybersecurity incidents. While technologies like AI and automated processes can play a role in improving security, they should not be the focal point of an organization’s security strategy. Instead, businesses should focus on changing user behavior and investing in people. With the right awareness training, employees will be better equipped to deal with cybersecurity threats. We feel that a user awareness approach based on user participation is more constructive and more likely to result in longer-term beneficial effects. Both for individuals as well as for the organizations that they are a part of.
What are your thoughts on this issue? Given that nearly 9 in 10 data breaches organizations face are caused by their users, do you believe that organizations should focus additional investment in behavioral and awareness solutions and less on individual technologies? Let us know in the comments below.