Awareness. How to mitigate human error in corporate cybersecurity
- Low levels of cyber literacy among employees and contractors increase security risks and can bring disruption to normal workflow.
- Teaching employees the basics of cyber hygiene mitigates the damage caused by human error. Thus, it can enhance resistance to phishing by nine times.
- Business impact analysis (BIA) can help:
- understand the digital risks associated with the human factor
- assess the possible implications of such risks
- identify groups of people who can impact the risks (employees of different business units, counterparties, contractors)
- Depending on the risks and the specific nature of responsibilities, the company needs to diversify education: from face‑to‑face and online courses to newsletters and practical exercises. It is important, however, to maintain a comprehensive approach that combines training, knowledge testing, and attack drills.
An accountant kept the password to his work computer in notes on his phone. Hackers cracked the phone and compromised the corporate credentials, then leaked the company’s accounts.
A bank employee was using a public cloud to send confidential files. The cloud provider did not take proper care of its security, and the files ended up in the hands of criminals.
An office manager received a call on Sunday, allegedly from the company’s IT department. They reported on doing some urgent maintenance work and asked the employee to log in to the workstation at the office. To avoid the trip, the “IT specialist” helpfully suggested that the office manager share the user password over the phone. As a result, the scammers gained access to the corporate systems.
All of these examples have one thing in common: the organizations were compromised because of an error made by their employees. Even the most advanced technology is helpless where the human element is not factored into the security processes. The implications can be wide‑ranging, including a complete halt to business.
- leakage of corporate data
- disclosure of confidential information
- theft of intellectual property
- corruption or complete deletion of critical data
- unavailability of internal IT systems and user services
- financial and reputational damages
- fines and regulatory sanctions
The number of attacks on companies through their employees is growing from year to year. One of the reasons for this trend is the low level of cybersecurity awareness. Hackers understand they have a good chance to bypass security systems by exploiting company staff, and this trend is expected to persist.
How the human element reduces the effectiveness of cyber defenses:
- A company could be downplaying the risks associated with employees. For instance, by emphasizing protection technologies and overlooking the development of cybersecurity regulations. As a result, employees might use passwords that are easy to crack because the organization does not have a password policy.
- Even if a company does have cybersecurity regulations, the language they are written in may be overly sophisticated. Employees might end up treating these regulations as yet another form of bureaucracy, which can be ignored. It is worth noting that if top management leads by example and shows the importance of complying with cybersecurity requirements, employees are more likely to do the same.
- It is crucial that individuals follow the security guidelines outside of work, because even their personal smartphones can be a vector of attack against company infrastructure. In this regard, it is important to verify the actual destination of email links, both in the office and at home. And it is better not to connect to public Wi‑Fi networks, neither from a corporate nor a personal device.
This is why we encourage our clients to consider—as soon as possible—how their security processes factor in human behavior. The first step toward this goal is to highlight the events that will have the greatest impact on their business.
Understanding which incidents are likely to have the biggest effect on the company requires a business impact analysis (BIA). This method helps to assess the full range of external and internal threats, direct and indirect losses from incidents: property damage, deterioration of service quality, loss of market positions.
- Core and supporting business processes with a focus on critical operations potentially vulnerable to human error.
- Possible scale of the consequences if an incident does occur.
- Employees involved in these processes, and classify them into target groups by key factors:
- nature of the activity
- methods and tactics that attackers are likely to implement when targeting a particular group
- scale of the possible consequences of a negative impact (e.g., the most tangible damage from an attack for one company might be leaked domain passwords, while a ransomware infection might be devastating for another)
- Awareness activities for each group and course of action in case of a cyberattack.
By analyzing the damage and the nature of attacks on different groups of employees, you can decide on the level and depth of training for each group. Thus, employees with a high level of cyber awareness, like cybersecurity specialists, may not need additional training. Therefore, extra spending here is probably unnecessary. In contrast, accountants may need extended cyber training with phishing simulations or practical exercises.
Based on the BIA results, it is possible to plan the appropriate amount of training courses, their frequency, and the type of testing for different categories of employees. The plan reflects these individuals’ levels of access to information assets and systems. For example, system administrators have complete access, so they should be trained and tested more often, once a quarter. And for users who do not work with critical IT assets, annual training would suffice.
When you have conceptualized the potential damage and figured out who needs to improve cyber awareness and how, you can devise a training program that fits your company.
The course activities will aid employees in understanding the following:
- damage a business could face in an incident caused by a staff member
- methods that attackers can use against your employees
- importance of ongoing training and knowledge testing as well as correct actions in an incident
The set of training activities varies depending on the objectives:
|Show the impact of incidents on business||
A series of internal briefings for target groups (accountants, economists, logisticians, IT specialists, etc.).
Each group has its own set of instructions, depending on the work performed and the possible incident implications
|Employees get tangible insight into the impact of an attack on the operations and are encouraged not to be the cause of an incident|
|Introduce mitigation methods||
Courses, training seminars for target groups of employees.
The activities should cover the most damaging methods of attacks on a particular group: phishing for the sales managers, targeted attacks on the finance department, etc.
|People gain practical knowledge of the mechanics behind cyberattacks|
|Monitor cybersecurity awareness||
Testing, practice drills and response procedures, routine phishing email campaigns.
The structure and schedule depend on the group needs
|You get reports on the effectiveness of the training, which you can apply in further activity planning|
For each group, we recommend developing a customized set of activities. This will make it easier to conclude on a suitable training plan.
For example, one group can start with a training course, then test their knowledge and practice their skills in guided attacks. Another group goes through a simulated incident and then takes the course. After each training attack, it is necessary to collect statistics and analyze the actions of all participants. For instance, if the majority of a group fail the test, then they should be given an additional course before the next activity.
If any counterparties have access to the company’s infrastructure, they should also be divided into risk groups depending on how critical their influence is. This enables companies to determine whether to allocate a budget for their training, and to assess if any additional arrangements are required. For example, an agreement with such third party can include a condition that external users undergo theoretical and practical training before they can access the corporate resources.
Using our cyber literacy platform, we analyzed and identified categories of the most vulnerable employees by department. More often than not, dangerous practices are observed among employees outside the IT scope. Thus, we see that at least half of marketing and office managers open malicious emails.
How different employees deal with phishing
1. Encourage safe working practices in the office and remotely
The content of training materials and tests must be updated regularly. This enables people to stay informed about new cyber threats, technologies, and security practices. Make sure to conduct post‑training check‑ups to track employee progress.
2. Create a communication channel to report security events
This way employees will have the opportunity to report suspected incidents and consult with a cybersecurity specialist.
3. Provide guidance in case of a suspected incident
This will ensure that an individual takes proper actions from the very first steps of incident response. For example, it is important to not reboot the computer, take screenshots for the security service, and immediately report problems to the IT.
4. Conduct regular phishing attack simulations
These help to prepare staff for real‑life incidents and reduce the chances for hackers to succeed. Training attacks should cover the entire company: from regular business operations to executive management. The exercise report provides a true snapshot of how well different departments are prepared for cyber incidents, and how thorough their cybersecurity culture is.
5. Create regular newsletters for the entire company
This is a convenient way to distribute cybersecurity tips, show correct software settings and new security techniques, and warn staff about cyber threats.
6. Discourage cybersecurity violations
Such cases would require sanctions and disciplinary action, like withholding bonuses. Employees should have a sense of personal responsibility for complying with the rules. At the same time, the process of accountability should be as transparent as possible.
7. Use out‑of‑the‑box training services
These can be IT solutions for security awareness—specific cybersecurity training programs compiled by experts. Such programs help to organize a continuous and monitored cycle of training and skills development.
For our clients, we offer BI.ZONE Security Fitness, a comprehensive solution that aims to prevent social engineering attacks. It combines training courses, drills, and real attack tracking.
The company owned an e‑payment system and had regular encounters with attacks on its staff. We launched a newsletter about the rising number of phishing messages, describing their characteristics, and shared valuable response techniques. Unfortunately, this was not enough, the employees still opened the emails out of curiosity or carelessness. Some users simply ignored our newsletter due to low engagement in the process.
It turned out that the company had never trained its employees to identify fraudulent emails. The framework for cybersecurity education was virtually non‑existent.
- Identified target groups by the level of access to critical assets and by information security skills: “Finance and accounting,” “IT and cybersecurity,” “Operating specialists,” and “Low risk employees.”
- Developed a schedule of training courses and attack drills for each group. In doing so, we took into account the specifics of the company, the groups themselves, the working conditions, and the level of cyber hygiene in each group. The customized courses included client‑specific assets, applications, and types of sensitive information. In addition, our experts expanded on the sections of secure working with e‑payment systems.
- Implemented a continuous awareness process with BI.ZONE Security Fitness. It included a series of routine training for employees, attack drills, and improvements to the motivational scheme.
- In six months, the number of vulnerable individuals dropped by 30%.
- The Security Champion incentive program increased employee involvement in cybersecurity compliance and strengthened loyalty.
- We updated the psychological profiles of employees.
An effective way to prepare your business against potential attacks on employees is to provide comprehensive and continuous training on safe digital workflows. These measures should ideally cover every person in the company, including senior leadership.
Training can be done internally: you can install special software, create emails and scenarios, design phishing attachments and pages. However, it is more effective to use off‑the‑shelf solutions that incorporate the latest mechanics of dealing with cyberattacks. This provides an opportunity to create a situation as close to reality as possible. Also, automated services help to collect statistics and analyze the progress of employees.
You can hire an expert company to simulate an emergency. The experts will imitate an attack, collect analytics, and provide recommendations on how to make people more resilient to digital threats.