Alexander Pope once said, “To err is human; to forgive, divine”. Clearly, Pope never had to deal with being a CISO and having an employee fall victim to a phishing attack. Companies continue to update their digital fortresses to keep out intruders or cyberattacks. Yet, a very overlooked piece of puzzle lies outside the computer screen. In fact, the real problem is precisely the entity behind the computer screen: a human. Yes, you read that right. We may have dominion over the animal kingdom, but when it comes to the jungle of the digital “cyberverse”, we are at the bottom of the food chain – and the weakest link.
Will cybercrime ever end?
As long as there are computers, cybercrime will forever persist, and it will still cost companies a lot of resources to patch. According to Accenture, the average annualized cost for global companies caused by cyberattacks in 2013 rounded out to about 7.2 million dollars. If you thought that was bad, the same report states that in 2017, that price rose 62% to about 11.7 million dollars! It’s hard not to foresee a consistent rise in that number. Keep in mind that these are just average costs, which is in stark contrast to companies like Target and Yahoo, who experienced data breaches with costs exceeding 200 million dollars.
Is technology the solution?
Now the solution seems quite obvious: develop new tech to stop the hackers. Easy, right? Wrong. The power of code is not limitless and at the end of the day, technology can only solve technological problems. Not all problems are going to be related to the technology, because most problems will be related to cybersecurity’s ubiquitous flaw: human behavior. In 2014, IBM reported that over 95% of all security incidents recognize human error as a contributing factor.
Technology cannot always solve the problem of human behavior, although there is still hope. We humans are going to remain in the workplace for a long time, because human judgment is necessary to bridge the gap between the capabilities of technology and our collective needs. Companies often fail to see the bigger picture, prioritizing solving technology problems with technological solutions only. If they realized that the issue is more than technological, and simply introduced some social engineering into the mix, they could help reduce the number of bad habits and foster developing better ones. So, what can companies do to reduce the human risk factor?
Human behavior is predictable.
One of the most fundamental principles of behavioral psychology is that we are predictable in our biases. Don’t believe me? A study from Northeastern University back in 2010 found that humans are 93% predictable in their mobility patterns! Still unsure? Well, how many times do you hit the “remind me later” option on your computer/security update notifications? Do you ever commit to it within a reasonable amount of time? Therefore, by exploiting your natural tendency toward what is convenient/predictable, you can maximize your current security awareness and continually improve it by establishing a strong “default” behavior.
The behavioral sciences emphasize that the “default” setting (whatever it may be) usually sticks. Therefore, by establishing strong defaults, you can improve your own behavior. This has been observed with organ donation and retirement savings programs, where the “opt-in” option was switched to an “opt-out” option. This simple change caused an increase in participation, simply because it established a stronger default, according to Harvard Business Review. Applying this principle to enterprise user security can mimic the opt-out option for: using a VPN, turning on two-factor authentication (2FA), enabling full-disc encryption, or authorizing auto-update features. Employers could take the time to set up computers and systems to have these features turned on as their default. Doing so could improve compliance and mitigate the risk of a breach.
Commit to auto-updates.
Using calendar commitments could also work. This method would be used primarily to push auto-updates to employees. If we put off auto-updates, it is often because we think there is going to be a “better time”. But the workplace is based in real time; you are constantly shuffling through tasks that never leave you a lick of time to predict when you can schedule other ones. In the real-time office environment, there won’t ever be a “better time” for that update.
Pre-committing to update installations can allow for a break from the screen grind and for security to update your system before any attack occurs. Combining these strategies with a great technological defense will mitigate the risk of human error and the security vulnerabilities it creates. If companies continue to spend money on what they consider to be strictly a technological solution, they will forever remain susceptible to attack. However, if we can view this problem as one that includes the human propensity to make mistakes, we are more likely to keep our data in, and keep the bad guys out. The solution is not just technological, it’s also psychological.