Blog

Porus Daruvala shares an article that explores a cyber breach analysis on human error in cyber security.

Look up any cyber breach analysis and you will find that #humanerror is almost always the leading cause. See the link in the comments which gives a good overview of the different types of human error categories. Some are truly shocking.

 42% of IT professionals report that their organization relies on STICKY NOTES to manage passwords 

 58% of organizations report that employees ignore cybersecurity guidelines

 Despite this reality, the overwhelming focus when it comes to cybersecurity is on the hottest, shiny new cyber sec software/app. Granted many of them are necessary and in some cases explicitly force secure human interaction. But, in my view, there is seriously inadequate focus on non-technology solutions beyond some boiler plate “training and awareness”.

 If you are one of those who believes cyber breaches are a serious problem that will only get worse, here are some (perhaps provocative) solutions that are more human centric:

 – Instead of waiting to train employees after they join an organization, companies should incorporate a cyber sec capability/responsibility requirement similar to “must be fluent in word/PowerPoint” into every JD. Mastercard is already doing this with a corporate security responsibility section at the end of each JD but I believe it needs to go beyond that. For example, indicating that a preferred cyber security certification (third party or custom) is strongly desired or even required.

– Even if companies are not yet listing this as a requirement, candidates should proactively acquire and display a well-regarded cyber certification to gain an edge/stand out. One that focuses on overcoming the practical, human error related challenges rather than something overly technical. Sophisticated and forward thinking employers will almost certainly value this big time

– If you are an employer that uses a solution like KnowBe4, congratulations. You are in the minority. If you are not, solutions like this would be an example of taking your cyber sec training and awareness beyond boiler plate. And if you are, perhaps extending this solution to prospective employees in the form of an assessment may be an option

– To quote Charlie Munger, “show me the incentive and I will show you the outcome” – companies should explicitly incorporate expected cyber security requirements/behavior into performance evaluation and compensation systems. Reward good behavior and penalize bad behavior across every level in the organization. Perhaps this is already happening but I have not seen it and I’m pretty sure it’s the exception rather than the norm.

Key points include:

• Password management
• Training employees
• KnowBe4

Access the article, Human Error in Cyber Security, on Linkedin.