Cyber 101: Don’t blame it on the staff

More than 90% of cyber-attacks involve a human attack vector. However, despite an emphasis on cyber security training for years, employees still don't consider cyber security to be their responsibility. That doesn't mean we should play the blame game; it's time to change the narrative so your employees - who are your biggest asset - don't feel criminalised.


This is a contributed article by Tormod Ree, CEO, AVA Security

It’s clear the shift to remote work is not going away and this poses security challenges. People can opt to log in from outside of their employer’s network – from home, coffee shops, flexible workspaces - virtually anywhere with a strong enough internet connection. 

Unlike a centralised team, where you can physically lock down confidential information, remote working means sensitive corporate data like customer lists, financial information, and source code is now everywhere. Malicious actors are well aware of this, so it’s little surprise that 90% of cyber-attacks involve a human attack vector. 

There's no doubt, criminals will continue to try to exploit an organisation’s workforce. However, organisations need to remember that this is not the fault of employees – they are the victims. We need to change the pervasive narrative from one in which a company’s greatest asset – its employees – are made to feel criminalised and instead empowered.

Instead, organisations need to think about their own responsibility to protect their staff. Employees might be in the crosshairs of hackers but it's important employees feel the company has their back. No matter what role an employee plays within the business, organisations should engineer security in such a way that it's easy for them to use, understand, and implement, so that they can protect themselves.

Enhancing employee security with technology

There are various ways employees unintentionally put their organisation at risk, including browsing risky websites, downloading malicious files, accessing confidential data through unsecured Wi-Fi networks, or inserting USB sticks containing malware. It's important to note that businesses need to be able to differentiate between what is malicious and what is accidental. Mixing the two could have disastrous consequences in terms of employee morale.

Instead of pointing the finger, organisations need to develop a more human-centric approach to cyber security; one which protects their networks and data while empowering employees to continue working without fear of being exploited. Such an approach would give them the helping hand they need to discover risks, prevent data loss, and enable regulatory compliance, while educating employees in the importance of cyber hygiene.

Technology has a role to play here. For example, the advances in machine learning over the past five years mean that AI can be effectively deployed to augment and enhance employee behaviour, prompting them to make safer decisions as they work. Used in this way, AI can protect employees from making mistakes and be used to advance cyber security by instructing employees in real-time and adapting to the individual behaviour of each user.

While this might be seen as a common-sense solution, it is not the path that many organisations are taking in security. By casting the employee in the role of a “rogue” in the network, organisations’ default approach to date has simply been to try and block and control the employee. We need only refer back to the 90% figure earlier in the article to see how ineffectual this approach has been, mostly because staff - who just want to get on with their jobs - will naturally find security makes things more difficult. That is why it is so important that use of technology is coupled with a mindset shift - we need to stop trying to stop our employees from getting on with their work.

Intelligence and context

AI has an additional benefit of generating data on employee behaviours, that can be fed back into the system to improve their experience and also identify threats when they do occur. This next generation technology can be used to make sense of unstructured data across different platforms, tools, and networks, and can piece together a complete picture of what normal behaviour looks like, and what indicates risk. For example, if an employee’s credentials have been compromised and they are being impersonated on the network, the system will know.

People may have perfectly understandable concerns regarding the privacy implications of this approach, of course. Although an organisation will have visibility into its network, and will enjoy actionable intelligence as a result, the privacy of its employees must be protected by securing and anonymising their data.

Employees themselves will benefit from such an approach, too. Each time an incident occurs, they can receive appropriate security training, and real-time on-screen messages reinforcing their employer’s IT Security and Acceptable Use policies. Rather than spending time and money on classroom-based instruction, this instant feedback loop is an effective, time-efficient, and affordable alternative form of security awareness training.

Bringing employees into the fold

The narrative the cyber security industry has created around employees, presenting them as - at best - a liability and - at worst - a deliberate saboteur, has led to bad outcomes for both staff and the organisation. It is beyond time that companies redirect the considerable resources they invest in blocking their employees towards tools that would actually help them. Risky behaviour will be more effectively mitigated with increased intelligence, productivity will increase, and employees will look more favourably on their employer.

Tormod Garberg Ree is the CEO of Ava Security. Previously, he has worked at companies such as Cisco, The Boston Consulting Group, and Accenture. He holds a MSc degree in Telecommunications and Computer Networks from Norwegian University of Science and Technology.