While it's impossible for an organization to be completely secure, there's no reason to be defenseless.

Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

June 21, 2023

4 Min Read
Cybersecurity concept art--people overlaid with numbers, padlocks, digital imagery
Source: Anna Berkut via Alamy Stock Photo

The cyber landscape continues to evolve as its economy grows. Ransomware attacks already account for trillions of dollars in damages to enterprises each year and standardized and sophisticated offerings such as ransomware-as-a-service and phishing-as-a service will soon become commonplace. While it's impossible for an organization to be completely secure, we're not defenseless.

Research shows that up to 95% of cyber incidents are a result of human error. Many of these breaches stem from oversights that include system misconfigurations or employee phishing campaigns, yet I would argue that an underreported component is the way threat actors target and manipulate human emotions. For example, when looking at the social engineering of phishing emails, you can see how nefarious actors use greed, curiosity, urgency, and the inherent need to help as means to hack the employee's behavior. Anyone can become a victim in these situations, which is why the key to establishing a sound cybersecurity culture within your workforce is placing people and realism at the center of your cyber strategy.

Mitigate Human Biases

Organizations must focus on human nature, including a person's innate soft skills and behaviors, when developing and implementing their cybersecurity strategy because attackers will use perception blindness and human biases to their advantage. One of the strongest is confirmation bias, where a person obtains a single piece of information, it prevents them from seeing any other possible options, and it causes them to draw incorrect conclusions and burn cycles in the wrong area. Job bias is another key human bias that hinders crisis response, as key stakeholders are unsure of the role they play and what their responsibilities are in certain situations.

It's critical to identify opportunities to emulate real-world use cases rather than best-case scenarios to understand how biases will impact remediation efforts. The most substantiated efforts leverage ideation, immersion, and gamification rather than passive information or lectures. Conducting tabletops and wargame exercises are effective ways of revealing multiple human biases that arise when your teams are under immense amounts of pressure. These allow you to integrate best practices into your organizational training and playbooks, which ultimately flips the attacker's script on human nature and enables you to use it your advantage.

Unify Technical, Business, and Risk-Oriented Frameworks

Enterprises that undertake these tabletops and wargames feel prepared to face and mitigate a potential attack. However, it is imperative for leaders to understand that these immersive exercises are conducted in a controlled environment. Planned actions can easily be lost in the chaos during a real cyberattack, especially when employees attempt to address the "fog of war" caused by stress. Security culture starts with how the employees feel, act, and behave, and deploying a cohesive, holistic, and unified approach to incident response within the first couple of hours are critical for success.

A cyberattack response that unifies technical, business, and risk-oriented frameworks empowers enterprises to create a seamless detection and remediation strategy. This prepares the entire organization — from the board of directors down — for when a real attack hits. The response plan should be underpinned by a common cybersecurity and risk language within the workplace. Instituting this, and ensuring each person becomes fluent, should be a priority along with clearly defining key roles across the enterprise.

Weave Cybersecurity into the Fabric of an Organization

Cyber readiness is everyone's job across the enterprise. Weaving cybersecurity into the fabric of your company and making it an everyday topic can reduce human-error-initiated cyberattacks at the source. After Equifax's 2017 data breach, it reinvented its security culture by starting with what it called "shared fate." This strategic pillar focused on how everyone in the company is responsible for protecting the organization with each micro-decision they make. It's proven to be highly successful, because when every individual feels personally responsible for keeping the workplace safe, it makes cybersecurity ubiquitous.

Highly mature organizations understand the importance of cyber-crisis preparedness. To further ingrain a strong culture of cybersecurity within an organization, leaders should suggest certain components of security training be conducted at home. If you can make individuals feel safe at a time when their role shifts from employee to parent, partner, or simply off duty, their sense of cybersecurity responsibility will extend beyond the workplace and become part of life itself. That takes your cybersecurity plan a step further and embraces widespread cyber readiness.

As the industry prepares for the next wave of attack methods and attempts to cohabitate with a new generation of cybercriminals, it's more important than ever for enterprises to reassess their cybersecurity posture. Successful cybersecurity policies keep the end user, the employee, the human in mind. In doing so, these policies are frictionless, making it is easy for employees to do the right thing, and they enable organizations to provide an explanation behind the "why" to mitigate resistance to change. While deploying technical resources and training are crucial steps in keeping the workplace and its assets safe, the cybersecurity battlefield is increasingly human. To win the war, leaders should acknowledge this and exercise their people as their best defense.

About the Author(s)

Chris Crummey

Director, Executive & Board Cyber Services, Sygnia

Chris Crummey is the Director for Executive and Board Cyber Services globally at Sygnia. For the past eight years, Chris has prepared and advised thousands of companies, SOCs, executives and Boards of Directors on cybersecurity best practices before, during and after a cybersecurity crisis. These best practices focus on the intersection of cybersecurity, risk-based decision making, crisis communications, leadership under pressure and the role human beings play in cybersecurity. As a keynote speaker on these topics, Chris is also a cybersecurity faculty member of “Competent Boards,” which is the original and premier creator of online of ESG training programs for board directors and senior business professionals. Prior to this role, Chris was the Executive Director for the IBM’s X-Force Command Centers globally and specialized in tabletop exercises and cyber wargames.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights