Changing Perspectives: Are employees really a weak link in the cybersecurity chain?

By Avishai Avivi, CISO at SafeBreach

The idea that people are the weakest link in the cybersecurity chain has been around almost as long as the industry. But how true is this, really? And even if it is true, is it wise to take this perspective?

As attack rates soar, consumers and investors are both looking for answers – and for someone to blame. With digital attacks creeping into the physical realm and putting lives—not just data—at risk, it has never been more important to identify and eliminate the weakest links. In this post, we will lay out the traditional argument of people as the weakest link, then undertake a revisionist stance, to propose a change of perspective.

The traditional perspective: people are the weakest link

The argument that employees are the weakest link in the cybersecurity chain is both well established, straightforward, and seemingly well-documented. Employees regularly fall victim to a variety of threats including, but not limited to:

• Phishing scams: Cisco Umbrella reports that 86% of organizations had at least one user try to connect to a phishing site.
• Business email compromise (BEC) scams: The FBI has identified this as one of the most financially damaging online crimes.
• Poor password hygiene
• Insider threats: Verizon reports that 36% of all data breaches experienced by companies of 1,000 employees or more were caused by malicious employees. For businesses with fewer than 1,000 employees, 44% of all data breaches were caused by malicious employees.

The rise in hybrid working, which places employees outside of the corporate network and the protection it entails, has also proven to be a significant challenge for security teams. At the end of the day, chief information security officers (CISOs) and other security professionals are simply not able to exert the same level of control over employees as they would over traditional security tools.

The revisionist view: people are the strongest link

While viewing employees as the weak link in the cybersecurity chain is understandable—especially in light of the statistics above—there are some problems that arise when this perspective is accepted.

Organisations that see their employees as a weak link are likely to apply over-stringent security controls on employees. This not only hinders an employee’s ability to do their job, but can also encourage them to find “creative” ways around said controls. These creative methods are likely not monitored or secured by security teams, potentially opening the door for more significant vulnerabilities and risk.

Employees are not intrinsically a weak or strong link in the cybersecurity chain – it depends on how well trained they are. If proper cybersecurity awareness training is provided, there’s no reason why employees shouldn’t be the strongest line of defence in an organisation’s cybersecurity stack.

With this in mind, forward thinking organisations should view their employees as a security asset, rather than a security liability. The approach should not be to hoist employees out of incompetence, but to realise their potential as a strong last line of defence. Organisations should inspire their employees to realise that potential.

Cybersecurity awareness training, while still a relatively new concept, is already proving to be an effective method for fortifying the human factor in cybersecurity. KnowBe4, a cybersecurity awareness training company, found that just 90 days of training for all employees brings down the risk of falling for a phishing scam from 27% to 13%. Translate these results to a company that incorporates security awareness training throughout its business infrastructure, and you may well see employees growing into an organisation’s most valuable security asset.

Realising employee potential:

Now that you have recognised the security benefits that employees can bring to an organisation, how do you go about realising them? We’ve established that effective cybersecurity awareness training is the way forward, but what does that entail?

Fortunately, there are best practices that would place an organisation squarely on the path to security-savvy staff.

• Initial assessment: Before cybersecurity awareness training is implemented, organisation’s must establish their baseline security posture. Metrics such as phishing susceptibility and general cybersecurity knowledge can be used as a control, a measure to establish the effectiveness of training initiatives.
• Inclusive participation: The most effective cybersecurity awareness initiatives reach all areas of a business – from the CEO down. This ensures that everyone in the company is on the same page and promotes a security-first culture within the community.
• Free and easy communication: Everyone within an organisation has the right to be informed on the company’s vision for cybersecurity, how they want to get there, and of the progress that has been made. One can’t expect employees to truly buy into an initiative they are only partially privy to.
• Regular assessments and training: Security awareness training is not something that can be completed in hours, days, or even weeks. Not only do principles need to be reinforced and training effectiveness measured; the cyber landscape is constantly evolving – training needs to evolve with it.
• Informed training: Training exercises should be carried out according to need – assessments will reveal where employees need the most support. It’s important to administer relevant training as soon as possible after the assessment is completed.
• Reinforcement: Reinforcing key areas keeps cybersecurity firmly in the minds of employees. Training should have a rhythm, with each session building on the last. Employees won’t retain information dumped on them in haphazard, dense training sessions – continuity is important.
• Reporting: Gauging the effectiveness of cybersecurity awareness training is reliant on reporting. Ensuring sufficient tracking and reporting is carried out will allow insight and increase actionable intelligence.
• Motivation: Cybersecurity can be a dry topic – especially for those who aren’t in the industry. Keeping employees engaged relies on motivation. Making clear to employees that they are the strongest and most important link in the cybersecurity chain will instil in them a feeling of pride, motivating them to keep on top of their training. Gamification is another tried-and-true method of keeping people engaged. Positive reinforcement is also essential – implementing awards such as “cyber hero of the month” is a great way to make employees feel valued and motivated.

The takeaways:

To sum up, viewing employees as the weakest link in the cybersecurity chain is a somewhat misguided, oversimplified perspective – if a traditional security tool was neglected, it would be a weak link too.

Employees are the most crucial element of a security stack. However effective existing measures may be, something will always slip through the net, and the security of the company will end up in the hands of an employee.

In light of this, organisations must work to realise the benefits that security-savvy staff can bring about. By providing them with the proper training, tools and incentives, organisations can transform their weakest link, into their strongest link.