Topics:   Corporate Governance,Cybersecurity,Leadership

Topics:   Corporate Governance,Cybersecurity,Leadership

March 28, 2019

Why Humans Are Still Security’s Weakest Link

March 28, 2019

Although security leaders may be effective at reducing the impact of cyberattacks within their own four walls, board directors should be aware that malicious insiders are still one of the top two threats, according to our research. It is a fact that serves as a timely reminder for all organizations—protect yourselves from the inside out.

According to the Accenture Ninth Annual Cost of Cybercrime Study, organizations have experienced sizable increases in phishing and social engineering attacks, up 16 percent; ransomware, up 15 percent; and stolen devices, up 13 percent in just one year. These are all areas of concern that give credibility to the argument that humans are still the weakest link when it comes to an organization’s cybersecurity defenses. And with 71 percent being vulnerable to hacking groups using spear phishing, a 55 percent spam rate, and 669 million new malware threats in the last couple of years, a momentary lapse of concentration can prove highly damaging. The prospect of 200 billion connected things by the year 2020 means this vulnerability is only going to get worse for your company and its employees.

Today, the security function is largely centralized and its staff are often excluded when new products, services, and processes—all of which involve some sort of cyber risk—are being developed. This siloed approach can result in a lack of accountability across the organization and a misplaced perception that security isn’t everyone’s responsibility—only 16 percent of CISOs in our survey said employees are responsible for cybersecurity today.

At a granular level, even where organizations regularly pressure test their resilience, people can invalidate red and blue team exercises. They may have difficulty behaving like a real adversary, or they develop “blue team fatigue” following a constant stream of demoralizing attacks. Worse still, they may develop unhealthy divisions and fail to communicate effectively before, during, and after an exercise.

As a result, the board should assume the task of holding the c-suite accountable for putting people first as a security priority throughout the organization.

Being Accountable

To tackle insider threats and foster a culture of accountability, boards should ensure that CEOs rally human resources, talent development, legal, and information technology teams to work closely with the security office and business units. Here are five ways directors can suggest that their organizations take on this risk from within:

  1. Train and reinforce safe behaviors. New work arrangements—greater use of contractors and remote work—make the need for employee training more urgent. Yet, training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets. Immersive communications and gamified learning can create sustained behavior change that could drive greater security.
  2. Build cybersecurity champions. Cybersecurity champions can not only act as advocates for security across the organization, they can also provide feedback to the central team on the effectiveness of security programs. As with many other facets of culture, the board can lead the way by becoming cybersecurity champions.
  3. Reward “security-first” behaviors. In our survey, only 41 percent of companies indicated that they offer incentives for business leaders who are committed to cybersecurity. Rewards are one tool that boards can use to stimulate the desired cybersecurity hygiene behaviors throughout the organization.
  4. Maintain strong defenses. As well as standard data protection techniques such as encryption and rights management, user and entity behavior analytics (UEBA) systems can flag suspicious employee activity, such as unusual file transfers that could indicate criminal intent. Ask about whether or not the security team has these practices in place.
  5. Help people be prepared. Suggest that the security team become ready by running and testing for end-to-end effectiveness. Their practice should be monitoring activity continuously and vigilantly, using sophisticated techniques such as micro-segmentation for access control—keep the sensitive safe to achieve damage limitation in the event of a breach.

Creating Security-first People

People are often unaware of cybersecurity threats, think they’re already protected by existing procedures, or underestimate the repercussions of a security breach. And while there is no single behavior that keeps people secure online, the vulnerabilities posed by humans can be effectively addressed.

Accenture has developed a Human Vulnerability Assessment—a diagnostic tool based on a data-centric approach. It identifies the highest priority areas to help people stay safe, the immediate actions and interventions needed to improve their weaknesses, and offers benchmarks to make comparisons across industries or geographies.

If you expect to fully protect your high-value assets, keep “the people dimension” in mind.  When security behaviors are better monitored and managed, people can be part of the solution, not the problem. 

Bob Kress is a managing director at Accenture Security where he is the co-chief operating officer and the global lead for quality and risk.