Cyber security suffers from a communication problem

Industry-wide workplace communication issues are contributing to an antiquated approach of attributing blame for cyber security incidents to ‘human error’, according to one expert.

Robin Bylenga, information security awareness, education, and communications lead at DWS Group, said that although human error is still a key factor in many data breaches, organisations must take a proactive approach to communication and cultivate a transparent culture which makes them comfortable to disclose potential issues or openly engage with the security function.

This is an issue facing many organisations at present, Bylenga said at Scot-Secure, with many staff encountering difficulties communicating with security teams to access advice on best practice and cyber hygiene.

A recent Gartner study found that ‘human failure’ will be responsible for “over half” of significant cyber incidents within the next three years.

The research highlighted that the number of cyber and social engineering attacks against individual employees is “spiking” as threat actors increasingly view staff as the most vulnerable point of exploitation.

Gartner’s survey also found that more than two-thirds (69%) of employees have “bypassed their organisation’s cyber security guidance” while 74% said they would actively ignore cyber practices to “achieve a business objective”.

Bylenga insisted that this highlights a growing disconnect between security teams and broader business functions, and that employee education is often viewed as a box-ticking regime.

Growing threats against individual employees also underline the fact that organisations now focus too heavily on technology-based risks and fail to consider the key role that staff play in mitigating threats.

“We put blinders on typically in cyber security and focus so much on the technology,” she said. “Technology is brilliant, it’s important, and it needs to be there, but while we’re sitting there focusing on technology, that’s when we should be focusing on people.”

“We have people, process, technology (PPT) for a reason, but we can’t spend all of our time on just process and technology,” Bylenga added.

Negative terminology erodes trust

Increasingly, she said, organisations are using negative terminology when discussing the role that individual staff play in cyber resilience. The term ‘human failure’ alone points to an inherent weakness, which erodes trust among employees and creates a toxic environment.

“I don’t like the term ‘human failure’. “I don’t like the negative connotations, the words, the language that we use in cyber. Especially when it deals with our people and educating them and building trust within our department.”

“Information security needs to be a department of trust, not a department where people feel intimidated, or stupid, or uneducated.”

Bylenga said that leadership plays a key role in fostering an open environment for staff to engage with the security function, and moving forward CISOs and senior personnel should take active steps to moderate their language to build trust with staff throughout their business.

By doing this, people will begin to “really understand or seek out information” about human factors in cyber security, which has a positive knock on effect long-term.

Plain language speaks volumes

A key approach Bylenga said she has personally employed when conducting security training is to speak in plain language that provides tangible insights into the impact of a data breach or cyber incident.

This is especially relevant given a recent surge in phishing attacks over the last two years amidst remote and hybrid working practices, she added.

In a study from HP Wolf Security this week, 66% of security leaders said their greatest cyber security weakness is the potential for hybrid employees to be compromised.

Phishing and ransomware attacks are an increasingly common consideration for businesses with distributed workforces while attacks via unsecured home networks are also surging.

“When I have to go train people on phishing, I want them to know why we’re training them,” she said. “You know, talk to me like I’m five. Here’s why we keep doing this, because these are the simulations that we’re doing, not to trick you, but to keep you up to date with how savvy and sophisticated these attacks are becoming.”

Up-front engagement

‘Management by walking around’, a concept popular in the 1980s and 1990s, is still highly applicable today, especially in the security industry.

When senior cyber practitioners engage with staff in different functions, this builds trust with employees and breaks down traditional cross-functional barriers, Bylenga said. This human connection should be an imperative for cyber leaders moving forward, she added.

“Human connection builds trust. Go out and have conversations with people in your department, it’s so important that you understand what people do, and when you understand what they do, people like that connection,” she said. “That will make training more relevant, and will get a better reaction from it.”