Human error seems to be the main cause of cyberattacks, and statistics confirm this: about 95% of cyberattacks depend on human vulnerabilities. The solution to this problem is not as simple as one might think: it is not enough to replace the human with autonomous machines, nor to focus entirely on technology. Within complex organizational structures, it is necessary to work in synergy on several aspects: human, organizational and technological, and promote a widespread risk culture.
A hacker, to make a cyber-attack, needs a vulnerability to exploit. Finding this access is not always difficult if people are leaving the door open. This happens when people fall into phishing campaigns, choose too simple passwords, leave the smartphone unattended and without a password, or use the same password for all accounts; errors that can open the doors of corporate networks to hackers, with dangerous consequences.
But what do companies do to defend themselves from cyberattacks? Not much, unfortunately.
The global survey of the consulting EY reveals that over 60% of companies feel more at risk of cyberattack than a year ago, but only 12% adopt the necessary countermeasures and only 4% carry out monitoring activities. Financing is not sufficient and there are no adequate organizational strategies, a widespread culture of risk management, analysis of internal resources and observation of security procedures.
The majority of the top managers interviewed admitted that they did not have an intelligence program to prevent possible external threats and they don’t have an adequate level of data protection. Furthermore, an adequate company training on IT security is almost always lacking. And in case of an attack? The majority of managers declare that they do not have a pre-established communication strategy, nor a recovery plan in case of loss or subtraction of data.
These statistics overturn the idea that the main problem of cybersecurity is the human factor: rather, it is necessary to analyse human errors in a highly complex system, which presents problems and security deficiencies on various fronts.
To defend itself against cyberattacks, it is necessary to act on all these aspects: technological, organizational, informative and decision-making.
With a few actions you can increase organisations’ IT security.
Integrate technologies and organisational vulnerability analysis.
Identify the crucial assets to protect. Their identification will support the proper definition of the required risk mitigation.
“Knowledge is power”. The first thing to do is a good training for employees and collaborators on the principles of cyber-security and carry out periodic risk assessments.
Review procedures. Complex security procedures are often not respected. Redefine them in a simple but effective way. Involve your staff in the definition process to be sure to have their full commitment.
Redesign technologies. Designing more usable software tools may prevent involuntary mistakes than can create system vulnerabilities. Password and access management could be a core functionality to be carefully re-design following integrated security and user-experience principles.
Stay up to date. Protect company data from viruses, spyware and other online threats with the best software and always update the firmware of network devices, operating systems and all applications.
…and if it happens, mitigate the damage. Adopt effective and appropriate data and IT systems recovery strategies.
This article has been written by project member Deep Blue. Deep Blue is a human factors specialised company focused on improving performance, safety and dependability within the companies, whose analysts, trainers and experts solve the world’s most complex human-machine interaction problems with rapid returns of investment.