The Human Firewall: Strengthening the Weakest Link in Cybersecurity

By Steve Soukup, CEO, DefenseStorm

Innovative technology has revolutionized the way we work and live by unlocking a wealth of new capabilities. As artificial intelligence makes daily operations more efficient and flexible, people become increasingly reliant on the luxury of digital technology. Of course, businesses then competitively introduce the latest and greatest to meet the demands. With new technology and changed business operations comes exposure to new cyber risks, prompting companies to prioritize and invest in stronger cybersecurity measures.

Ominous headlines touting 2023 as the “Year of Risk,” have organizations scrambling to increase their cybersecurity budget and buy the latest threat detection technology. The technology and supportive resources to prevent threats from becoming attacks are important, but what if I told you that while you have the newest, state-of-the-art technology safeguarding your systems, your employees are your biggest vulnerability? Even the most technologically savvy employees are a liability. Just ask NASA about the Mars climate orbiter…a simple human mistake in measurement conversion by scientists led to a navigation error sending the climate orbiter to its demise, burning up in the Martian atmosphere. The result? A loss of nearly 200 million dollars and red faces all around.

The reality: Despite having the most effective cybersecurity measures implemented, a simple human error can lead to significant financial losses, interruptions in business operations, and harm to the organization’s reputation.

The Weakest Link

Companies become confident and ready to take on the threat of cyberattacks after implementing the newest and most advanced solutions in cyber risk management. Most businesses eagerly invest in the best security products, hire external monitoring support for their internal teams, and implement proactive strategies for preventing and mitigating cyberattacks. Money spent, new technology employed, defenses at the ready – you’re prepared. And then, a targeted C-level executive mistakenly clicks on a phish – cue data breach, assets are at risk, and sensitive client information is compromised. This cyberattack was 100% preventable.

A joint study by Stanford University Professor Jeff Hancock and security firm Tessian, found that a staggering 88% of data breaches result from employee mistakes. IBM Security’s research reports an even higher figure at 95%. So, you’ve secured your house, purchased the strongest locks, and installed the most advanced home security system…and then someone leaves a window open.

An understanding of cyber risk awareness is just as vital to the maturity of your program as having the right products in your cyber toolset or implementing a proactive plan. Integrating all these essential components is what makes your company fully prepared to tackle cyber threats, but recognizing the importance of security awareness is also crucial to prevent costly errors.

The WHY and HOW

Understanding how employees can inadvertently cause a hole in your security is vital to protect your business. Mistakes are made at ALL levels and across ALL departments due to insufficient cyber risk awareness training, distraction, burnout, or even complacency. Some of the worst breaches occur from a simple lack of knowledge.

Ask yourself: Do your employees casually open emails on their phones, oblivious to the telltale signs of a phish? Are they click happy just clicking links and downloading files without regard for the source? Do they reuse the same password across multiple accounts? Is their professional device automatically connecting to an unsecured Wifi? More importantly, do they even realize that these actions make them vulnerable?

Another challenge associated with cybersecurity awareness is outright distraction. Most employees are constantly running busy and opening messages on the go. Most of us are juggling three tasks at once, and we are aware of the risks, BUT are we paying attention?

Consider this incident: You’re hurrying to shut down for the day so you can get to your kid’s soccer game on time when an email pops up in your inbox. It’s from your CEO with the subject line: Explain these numbers. Your heart practically stops. What numbers? The clock is ticking to get to that game, so you immediately open it, quickly skim through the email, and download the attachment. You fell for it – CEO spoof. Had you stopped for a second, you would have realized that the email says your CEO’s name, but the address is from an outside entity. If you had carefully read through, the message has slightly broken English, and the signature line is wrong. You’ve been duped. It happens, but how can this costly mistake be prevented from occurring over and over again?

Cyber Risk Awareness

Whether caused by distraction or lack of awareness, the consequences of a breach are still the same – compromised data, interruption of service, monetary loss, and a tarnished reputation. Strengthening cyber risk awareness is important for all employees to prevent these simple but egregious mistakes. Keeping employees trained, aware, and motivated can be done by employing these best practices:

1. Integrate cyber risk awareness training in the onboarding process for new hires.
2. Train all employees; we mean ALL – from the interns to the C-Level executives.
3. Provide ongoing training and workshops to identify questionable links, emails, and other potential threats. Equally important is teaching proper protocol to create strong passwords, handle sensitive information, and responsibly use technology. Simulated phishing exercises can help employees learn how to distinguish between a possible threat and genuine communication.
4. Motivate and empower! Participate in cyber awareness campaigns with memorable slogans that can be used internally on posters, magnets or mouse pads; use catchy reminders like “Think Before you Click” or “One Click is all it Takes” to keep it fresh in everyone’s mind.

One of DefenseStorm’s clients recently shared that they motivate employees to pause and think about cybersecurity by using two monthly raffles. Employees are entered into the first raffle when they successfully identify a campaign phish and are submitted for the second raffle if they identify a real phish. Getting the conversation going by using motivational tools and incentives creates an opportunity for positive reinforcement and open communication, so your employees remember to stay alert even amidst distractions. If everyone is talking about it, can they really forget?

5. Cybersecurity awareness also includes the collection and distribution of important alerts and news. Ensure all employees are signed up for the latest cybersecurity news updates. Send out messages internally to alert employees of possible threats.

DefenseStorm provides Daily Security Intel Bulletins, which is a collection of the most important cybersecurity news and alerts for the day, to all clients and employees. The bulletin promotes peer-to-peer sharing and builds a community of trust to work together against the threat of cyberattacks.

Prioritize Cybersecurity Personnel

Even the most technologically savvy employees can become a significant liability. Burn out, gap in talent, waning skills, and complacency among internal cybersecurity teams can easily be a cause of vulnerability in your security.

Have you checked in with your cybersecurity team? How are they managing? Companies report major burnout because the workforce ratio versus cyber events is overwhelming. The demands to scrutinize the constant flood of cyber events can’t be managed by outdated manual processes and understaffed teams. When employees are overloaded, mistakes happen. There is also concern that internal Security Operations Center (SOC) tasks become redundant for individuals. Boredom fuels complacency, which in turn, spawns errors and oversights. Build a stronger internal team through evaluation and training to keep them alert, motivated, and ready for emerging threats. Consider these effective strategies:

1. Ensure your internal cybersecurity team receives active support from the executive team.
2. Address employee burnout by leveraging AI technology and partnering with external teams to co-manage your cybersecurity.
3. Combat redundancy by cycling employees through different roles and providing learning opportunities with new technology for analysts.
4. Bridge the talent gap by creating partnerships between base analysts and incident responders which provide advancement of skills.
5. Strengthen skills with Maturity Mapping to evaluate your internal team’s capability and preparedness. Running through simulated exercises and evaluations gives insight into your institution’s performance and readiness. Understanding your internal team’s response, resilience, and recovery abilities allows for setting goals, benchmarks, and performance expectations.

Staying Informed and Alert

With cyber threats, emerging technology, and daily operational demands contending for priority, it’s easy to forget the pivotal role human factors play in the success or decline of a business. It’s possible for any one of your employees to make a damaging error, so while you are beefing up your cyber defenses, remember the cautionary tale of the Mars orbiter mishap and how even rocket scientists can have their “oops” moments. Don’t wait until an avoidable mistake – foster a culture of continuous cyber risk awareness, nurture your cybersecurity teams, and implement comprehensive training programs. With education and empowerment, companies can prevent mistakes, reduce the impact of human error, better safeguard their valuable assets, and maintain a strong and resilient defense in the face of the ever-evolving cyber risk landscape.

About the Author

Steve Soukup is the Chief Executive Officer for DefenseStorm. He was first appointed Chief Revenue Officer in 2017 with a primary focus to drive business growth while leveraging his extensive experience serving the banking vertical. Before joining DefenseStorm, He has held leadership positions at Intuit, S1 Corporation, and KPN and acquired direct banking experience through management positions at Key Bank, BankBoston, and State Street Bank. Based on his ability to successfully deliver results, Steve was promoted to DefenseStorm President in October 2019 and then to CEO in April 2020, where he leads all aspects of the business. Under his direction, DefenseStorm has set the standard for enabling banks and credit unions to achieve cyber risk readiness while establishing an empowering tone and culture through the company’s core objectives. Steve serves with a passion to live, work, and promote the DefenseStorm mission to build a community of trust so we can grow and thrive together. He prides himself on nurturing relationships between the company, employees, and clients, which has resonated deeply into the fabric of DefenseStorm’s client base, proving that a positive culture starts from the top. Steve holds a bachelor’s degree in finance from Boston College and an MBA from Boston University’s Questrom School of Business.

Steve can be reached at [email protected] – www.DefenseStorm.com