Cyberattacks are on the rise — but if we're being honest, that statement has been true for quite a while, given the acceleration of cyber incidents over the past several years. Recent research indicates that organizations experienced 50% more attack attempts per week on corporate networks in 2021 than they did in 2020, and tactics such as phishing are becoming increasingly popular as attackers refine their tried-and-true methods to more successfully entice unsuspecting targets.
It's no surprise, then, that cyber resiliency has been a hot topic in the cybersecurity world. But although cyber resiliency refers broadly to the ability of an organization to anticipate, withstand, and recover from cybersecurity incidents, many experts make the mistake of applying the term specifically to technology. And while it's true that detection and remediation tools, backup systems, and other resources play an important role in cyber resiliency, organizations that focus exclusively on technology risk are overlooking an equally important element: people.
People Are Vulnerable, but They Don't Have to Be
People are often thought of as the weak link in cybersecurity. It's easy to understand why. People fall for phishing scams. They use weak passwords and procrastinate on installing security updates. They misconfigure hardware and software, leave cloud assets unsecured, and send confidential files to the wrong recipient. There's a reason so much cybersecurity technology is moving toward automation: removing people from the equation is seen as one of the most obvious ways to improve security. To many security experts, that's just common sense.
Except — is it, really? It's true that people make mistakes — it's called "human error" for a reason, after all — but many of those mistakes come when employees aren't put in a position to succeed. Phishing is a great example. Most people are familiar with the concept of phishing, but many may not be aware of the nefarious techniques that today's attackers deploy. If employees have not been properly trained, they may not be aware that attackers often impersonate real people within the organization, or that the CEO asking them to buy gift cards "for a company happy hour" probably isn't legit. Organizations that want to build strong cyber-resiliency cannot pretend that people don't exist. Instead, they need to prioritize the resiliency of their people just as highly as the resiliency of their technology.
Training the organization to recognize the signs of common attack tactics, practice better password and cyber hygiene, and report signs of suspicious activity can help ease the burden on IT and security personnel by providing them better information in a more timely manner. It also avoids some of the pitfalls that create a drain on their time and resources. By ensuring that people at every level of the business are more resilient, today's organizations will discover that their overall cyber-resiliency will improve significantly.
Building the Necessary Support Systems
The COVID-19 pandemic — and the resulting acceleration of digital transformation, cloud adoption, and remote work — perfectly encapsulates the need to prioritize people. Security teams have been in a pressure cooker since the pandemic began, constantly being asked to do more, account for additional variables, set up new capabilities. And of course, there is always a new vulnerability that catches the eye of a CEO or other senior leader and suddenly becomes a priority. These teams are tired, and burnout is a real concern. They need support from their organizations.
Because, as valuable as modern cybersecurity tools are, people still make the most important decisions —which means prioritizing the resiliency of those people is critical. Tired, overworked employees who don't feel appropriately valued by their employers are more prone to mistakes or lapses in judgment. It is important to maintain open dialogue with IT and security personnel to understand their needs. Employees who find themselves working 12-hour days again and again aren't just prone to mistakes. They're likely to leave for a better opportunity — one that lets them maintain a healthy work-life balance. Organizations must be prepared to hire and train new employees to help carry some of the load for teams already being tasked with making significant adjustments in the face of ongoing challenges.
Learning to recognize signs of burn-out in your people, talking openly about burnout and how you are addressing it, and encouraging a culture of well-being will make for a more resilient team. After all resiliency is about recovery, in both people and technology.
Never Overlook the Importance of People
Too many organizations today view people as replaceable, but organizations that want to remain steadfast in the face of today's threat landscape should recognize the value of a happy, motivated, well-trained, and well-rested workforce. Cyber-resiliency isn't just about having the right technology in place to deal with modern attackers, but about empowering people to make the right decisions, and ensuring that they have the knowledge and support they need to make them. Overlook the importance of people at your own peril —even with automation on the rise, they remain the backbone of a successful business.