If there’s one thing that’s been highlighted time and again in the past few years, it’s this: security teams have it rough.
Evolving cyberattacks, careless or clueless colleagues, colleagues with a grudge or a desire for more money, unpatched systems and software, the vast variety of new devices and unsecured home networks introduced into the security mix—the list of potential threats goes on and on, unlike the headcount in your friendly neighborhood security team.
As per ISACA’s State of Cybersecurity 2022 Report, 62% of cybersecurity teams are understaffed, while 63% have unfilled vacancies. Plus, over half the hiring managers (55%) surveyed generally felt that applicants for their cybersecurity teams weren’t well qualified.
So, the lack of manpower in cybersecurity teams is not a problem that’s going to be solved anytime soon. Meanwhile, cyberattacks are becoming more frequent, sophisticated, and easier to execute.
The resulting double-whammy has left cybersecurity professionals at higher risk of burnout. The State of Pentesting 2022 report by Cobalt found that 58% of respondents were experiencing burnout. Additionally, 63% and 64% of respondents said there had been some impact on their mental and physical health, respectively.
To summarize: security teams are extremely understaffed and could use all the help they can get.
More technology alone is not enough
One ray of hope in these trying times has been the evolution of the cybersecurity landscape. Security platforms and solutions are increasingly adopting AI and machine learning to automate several aspects of IT security.
Automation can help reduce the amount of grunt work the security team needs to do. It can also act as a force multiplier, allowing the team to efficiently secure and monitor the expanding enterprise attack surface and respond to incidents more efficiently.
The extra firepower AI brings to the table is all the more important in light of the use of these technologies by malicious actors. Firms like Malwarebytes, Symantec, and McAfee were sounding the alarm on AI-based cyberattacks way back in 2018.
With emerging security solutions like extended detection and response (XDR) platforms, the increased interest in Zero Trust architectures, and identity-centric security frameworks and best practices, it seems like security is headed in the right direction.
However, even the best technology in the world can’t keep an organization safe from the mistakes made by unaware or uninformed employees. From people clicking on links in emails requiring “urgent action” to opening the doors for a “colleague” who has their hands full, there are lots of ways in which bad actors can get inside your network or office premises.
In the case of malware and other threats, security technology can help you detect them and stop bad actors from infiltrating further. But sometimes, even the earliest stages of an attack can cause a lot of damage. Also, technology may be able to keep bad actors out of your cyberspace, but your XDR, SOAR, SIEM, and other technology platforms are currently helpless against someone physically walking into your office premises.
To secure your organization against such threats, you need to focus on what’s often called the weakest link in your security perimeter: your people.
Punishments hurt you as much as they hurt your people
As per Verizon’s 2022 Data Breach Investigations Report, 82% of breaches involved a human element. This includes social engineering attacks—which accounted for over 20% of data breaches last year—errors, and even privilege misuse. So it goes without saying that you need to make all your people, not just your security folks, work towards securing the organization.
To start, you need to implement and enforce security policies that keep the organization safe without adding friction to employees’ daily tasks.
As per a recent article in the Harvard Business Review, many employees intentionally breach cybersecurity policies. The reasons? To accomplish their tasks, to access something they need, and to help others with their work.
Additionally, these employees reported being more likely to break security policies on days when they felt more stress. This brings us to an interesting observation: Cybersecurity policies were also seen as a common source of stress. People were more likely to violate the rules when they felt the policy would affect their productivity, require more work or time, or make them feel constantly under scrutiny.
This brings us to another interesting fact from the IT Security Risks Survey 2017 by Kaspersky Lab and B2B International. This study found that 45% of employees at large enterprises hide cybersecurity incidents, possibly to avoid punishment.
This fear isn’t unfounded. The IT Security Economics 2021 report by Kaspersky shows that 21% of enterprises have fired employees because of data breaches, which is better than the 31% recorded in the 2018 report, but still high enough to give some people pause. Meanwhile a 2020 report from Centrify showed that 39% of UK businesses fired people for breaches of security policies.
Numbers like these are enough to make the guilty party want to hide a security incident rather than owning up to it. This can lead to a minor incident that could have been nipped in the bud becoming the cause of a major breach.
Could less stick make reports come in quick?
Wondering how to prevent issues like employees skirting security policies and hiding security incidents?
One solution is to adopt non-punitive security policies. Removing the threat of punishment can remove some of the stress and fear in your employees’ minds, making them less likely to hide incidents and flout rules.
Another way to prevent intentional policy violations is to get stakeholders across job functions and roles to weigh in on the security policies. How do your policies affect their work? Do the policies or security products in use add excessive friction to their workflows? Is there a workaround that ensures security without affecting productivity?
Getting answers to these questions can help make security policies easier to follow and comply with for everyone. However, better security policies alone are not enough. These policies serve no purpose if your people aren’t aware of them. Security training and awareness sessions aim to educate employees on security policies, but often not with much success. The problem is that these sessions are either too technical, dry, or generic. Plus, there’s the whole Hollywood-inspired idea that cybersecurity is super complex (and therefore scary).
This results in people not understanding or remembering these best practices for long. More importantly, they don’t understand how these policies come into play in the context of their roles and work. In other words, they may not even know that they’re violating a security policy or putting the organization at risk.
In the next entry of this two-part series, we’ll talk about how to make it easier for your people to remember and follow cybersecurity guidelines.