Recently, Elevate Security’s very own Co-Founder and President, Masha Sedova, started quite the discussion on LinkedIn on how cybersecurity teams have been mishandling user risk. This timely conversation was then followed up by a heated (but friendly!) debate with Matthew Rosenquist, CISO at Eclipz.io Inc. on an episode of Cybersecurity Insights.
Many security teams have been trying to solve user risk based on three assumptions we’ve accepted as security truths. However, these assumptions, or rather, myths, are not a reflection of reality. “User risk is the last untamed frontier of security, and for good reason—it is the hardest area to solve,” says Masha. It’s time to reassess some fundamentals. Below, we’re sharing our hot take on the top three cybersecurity and user risk myths.
Myth #1: One Click Can Bring Down the Company
Truth: Humans can and will make security mistakes and that needs to be okay.
Humans will make security mistakes. It’s inevitable:
- 4% of users generate 82% of phishing incidents (some clicking twice per month)
- 3% of users generate 92% of malware events
- 12% of users are responsible for 71% of secure browsing incidents
The sooner we come to terms with that and start designing our programs to accommodate and work with the reality of user risk, the faster we will come to a solution that actually works in protecting our organizations.
However, one of the most challenging aspects of building a security program is balancing the need to secure the business while maintaining a productive workforce. Simply brushing off the human element as the “weakest link” and investing in technological controls hasn’t worked for organizations either! A highest common denominator approach locks down users, wastes resources, and stifles innovation and productivity.
The best way to manage user risk? Implement the right technology at the right time for each user—personalizing protections to pinpoint each user’s specific vulnerabilities. Data-driven decisions tailor risk-based controls and support high-risk individuals, while maintaining productivity.
Myth #2: User Risk & Security is Everyone’s Responsibility
Truth: It’s not. We can’t expect our designers, engineers, and sales folks to get security as we do. That’s our job.
A quick glance at security headlines underscores the truth – decades of training and awareness efforts have not solved the problem of user risk. According to the Cyentia Institute, human risk played a direct role in 61% of the largest cyber incidents of the last 5 years.
There needs to be a better way to enable employees to be productive while still keeping the organization safe.
As is often the case, recent breakthroughs in data analytics and machine intelligence now allow the near-instant tuning of cyber protections to each individual. We can defend users, business, and systems against threat actors targeting workers by identifying and protecting those most likely to fall victim to an attack.
- Risk analysis identifies vulnerabilities
- Security policies adjusted to those vulnerabilities offer targeted, tailored safeguards
- Specific guardrails protect users from accidental exposure without reducing productivity
Jinan Budge, Vice President, Principal Analyst serving Security & Risk professionals, Forrester says, “Once cybersecurity is no longer everyone’s responsibility, employees can get on with their daily activities and meet their digital aspirations while remaining protected from cyber threats—even if they make a mistake.”
Myth #3: People are the Weakest Link
Truth: User risk is not measured or managed on par with other security risks.
When it comes to risk, your employees are not the weakest link; they are the primary attack vector. The solution to such a complex problem as user risk requires:
- All the benefits gained from data, analytics, and measurement
- The best risk-based safeguards
- An understanding of the nuances of user engagement and behavior change
The solution cannot be owned by one function. *Cough* Security, awareness, and training. *Cough* David Fairman, CISO, Netskope, agrees as he says, “Educating them [employees] to minimize the risk is the right thing to do, but won’t eradicate the risk. Like most things in Cyber and InfoSec, we need to take a multi-pronged approach to this.”
As we stated previously, user risk is the hardest area of cybersecurity to solve. Approximately 8% of your employees are at higher risk. This tiny cohort is likely to be at the root of 80% of your security incidents. Employee mistakes are inevitable, no matter how much training you give them. Instead of trying to put out fires, let’s prevent them from happening in the first place.
Check out Masha Sedova’s insightful discussion on the correlation between behavioral science and user risk in the Friendly Fire Podcast episode titled, Masha Sedova: Employee Security Mistakes Are inevitable, Resulting Incidents Aren’t. Tune in now to learn how you can leverage behavioral data to strengthen security despite user risk.