At first glance, it seems like a contradiction in vulnerabilities. If employees and end users know that they have an important role to play in your cyber security, then why are they still your greatest potential problem?
This is one of the biggest paradoxes from the “Voice of the CISO report”, the latest study by the Proofpoint cyber-security firm. Could the 1,200 surveyed CISOs been hopelessly confused or did they uncover an important security fact?
People are a security risk by nature
The answer is clear: People are a vulnerability because they are people, they are behaving like people do, and they are working with a handful of programs that were imperfectly designed by other people.
End users click on things, they are impulsive, distracted, and they are multi-tasking their way simultaneously through the demands of employers, suppliers, partners, and children. One thing they are usually not is malicious. Most – but not all – of the time, their heart is in the right spot.
CISOs are conflicted over the human element in cyber security
On one hand, the surveyed CISOs generally agreed that employees do understand their role in protecting the organization against cyber threats. The global average of 58% was led by Japan and Germany at 71% and 70%, respectively.
But on the other, they also agreed that human error is their organization’s biggest cyber vulnerability. This global average was also 58%, but these CISOs were led by the U.S. and the Middle East at 75% and 70%, respectively.
Without diving into regional variations in security habits, it’s an uncomfortable modern reality – although employees are starting to understand their role in keeping the organization secure, human errors are still the single greatest vulnerability.
Counting the ways employees create cyber risks
The CISO ranking of the ways employees put their organizations at risk was nearly a toss-up. When asked to pick three out of six potential ways, there was only two percentage points between top five selections. While purposeful or malicious data leaks was number one risk at 42%, this was immediately followed by risks from employees clicking on poisoned links, opening phishing emails, using unauthorized devices or apps, and having unsecure passwords.
To summarize this: Most risks come from people’s normal, everyday behavior – and most of the time they are not doing it with malicious intent.
The problem with inadequate skills and equipment
The Proofpoint report acknowledges this apparent contradiction between employees understanding their security role and their actual risky activities should be seen as several, not just one, red flags. As they wrote, “it suggests an acknowledgement that end users are not adequately skilled or equipped for cyber defense.”
One should also clarify that skill is what a human is trained to do, equipped is device or technology that they do it with – and both factors are at play. While misbehaving employees and users often get blamed, two out of three CISOs believed that technical debt – leftover but still operational technology – was a significant cause of security vulnerabilities.
It’s time to improve skill sets and the equipment
Inadequate employee skills and a limited equipment sets the stage for losing the security battle. Conversely, improving the process for user authentication and verification does a lot to cut the risks, whether this is from a malicious data leak, an unauthorized device, or a bad password. Correctly done, it both simplifies the employee skill set needed for accurate authentication and it equips them – with smart cards, multifactor authentication, and self-service options – to better defend their digital identity.
The case for mutual freedom in cyber security
Security was seen largely as an “either or” situation by 61% of CISOs – more security but less performance and agility. The paradox is that with digital identity security, improving the processes brings more freedom and greater flexibility across the board to organizations, their employees, and to end users.
It’s more than just enabling companies to automatically remove access rights to outgoing personnel or meet an industry guideline for their data handling procedures. It’s also that this makes life easier for end users and employees. With secure multifactor authentication, they will waste less time fumbling around for that yellow sticky note that has all of their passwords written on it. They can even update changes to their digital identities by themselves, without needing outside help.
Yes, employees are the biggest single cyber vulnerability in an organization. And yes, with effective digital identity management in place, they also have a critical role in securing their own digital identities and the security of the entire organization.
Would you like to know more on securing the digital identities?
Download our whitepaper that describes the complex challenges of managing secure access to data and IT systems in an increasingly digitalised and regulated reality.