Cybercrime is more prevalent than ever before. Phishing attempts, ransomware attacks, and other forms of breaches all reached all-time highs in 2021, and there is no reason to believe that that trend will change anytime soon.
Cybersecurity specialists need to re-evaluate the way they focus on security in 2022. It’s becoming increasingly apparent that solving human risks within the context of work should be an utmost priority for CISO’s looking to secure their organizations.
Here’s why focusing on the human element of security, particularly as it relates to workflows, is the most important component of cybersecurity today.
People, not systems, are the real vulnerabilities
If you’ve been paying attention to information security news, you’ve likely heard about the Log4j vulnerability and how devastating it is for cybersecurity posture.
There have been many other instances where it seems like a flaw in computer architecture or coding languages will lead to catastrophe, but negative outcomes due to system vulnerabilities are not the leading cause of data breaches.
It may come as a surprise (or completely expected depending on your worldview) that research from Stanford found that 88% of security breaches occur due to human error!
Most people think of hacking as a scary person frantically typing behind a keyboard like a scene from the Matrix, but that’s not the case.
While the Matrix-hacker is a threat, most breaches occur as a result of people disclosing information without authorization, failing to maintain personal device security, or falling for the ever prominent onslaught of phishing attempts.
Although human risk has always been a major component of cybersecurity, Covid-19 and the subsequent transition to remote work in SaaS apps have made securing people more crucial than in the past.
Remote work increases the number of risk vectors
Remote work is here to stay. Remote employees report feeling happier and more productive, and remote-first companies can save lots of money on office space and other administrative expenses. While the flexibility that remote work grants people is great, it also creates many more avenues for hackers to breach an organization.
A whopping 55% of employees reported using their personal laptops or cell phones for work purposes!
Many companies equip their devices with antivirus software, firewalls, and other security controls, but there is no guarantee that employees are using these tools on their personal devices. And, there’s always a balance between locking down devices and productivity. All of these unsecured devices are sources of risk to company data or systems.
Remote work also allows employees to work from home, at a coffee shop, at an Airbnb, or anywhere with wifi.
Hackers will often set up fraudulent wifi networks to try and steal credentials from people who connect to them. Also, many public networks do not have sufficient security in place to prevent hackers from stealing information transmitted over them.
Evolving workflows also create additional sources of risk
In addition to the increased number of devices that must be secured due to remote work, the way we work today has complicated cybersecurity. Companies are spurning desktop applications in favor of cloud-based SaaS apps. These tools take away management overhead for companies, making SaaS apps fast to implement.
The average number of SaaS applications used by companies reached over 250 in 2021! Although they increase efficiency, these tools introduce additional layers of risk since they are managed outside of the organization. 68% of malware in 2021 was delivered via SaaS apps, a number that should terrify CISO’s everywhere.
Another way workflows have changed is the number of integrations between applications. There are more ways to automate processes and integrate data than ever before.
Actions like automatically exporting lists and importing support tickets into a centralized hub can significantly reduce the amount of manual work employees must do. However, automation and integrations also introduce new risks.
For example, if you set up your Slack workspace to import files from a website on a recurring basis, there is the risk that your organization imports malware if a hacker is successfully able to penetrate the site.
If you are a healthcare organization that exports billing records, there is a chance that someone without the authorization to view said records can access them.
Companies must emphasize reducing risk within the flow of work
The new way of remote work performed in cloud-based SaaS applications requires a renewed focus on reducing human risks inherent in SaaS app workflows. The best ways to reduce humans risks are:
1) Using tools to monitor SaaS apps.
2) Training employees on risk in the flow of work.
We’re going to focus on #2. Companies are already working on the former and the rise of zero-trust security reflects a mindset shift to one where all humans are seen as potential risks.
Security awareness and cybersecurity training is outdated for modern work. Popular courses focus on topics less relevant to remote work such as not writing down passwords on paper or not plugging in flash drives you find on the street. While those are decent tips, they don’t matter as much today when most threats are digital instead of physical. And, these trainings are often delivered on an annual or infrequent basis, outside the context and flow of work.
One way organizations can reduce risk within the flow of work is by implementing event-based training. The concept of event-based training is simple; trigger training for employees when they do work activities that can potentially increase risk. Actions such as sharing files, creating new Slack channels, and clicking on links from external emails can be used to automatically assign employees relevant training. Training should be administered within the context of work to ensure it is actually effective. Annual check-the-box training for security awareness might make leadership feel good, but it doesn’t sufficiently reduce human risks.
Conclusion:
The way people work has changed a LOT over the past two years, and even more so over the past decade. As cyber threats continue to proliferate, effective security must be a priority for any organization hoping to stay in business. Evolving workflows have greatly increased human risk. As such, companies should tailor their training to make people understand how they can effectively protect themselves and their organizations in 2022.
About the Author
Haekka is a Slack-based (with a web option available) employee onboarding and training platform that trains employees within the context of real work.
Haekka was founded by two leaders with over 20 years of cybersecurity experience, so they have witnessed firsthand how different security looks today as compared to years past. Haekka’s security awareness training was written for remote and hybrid companies looking to secure their evolving workforce with an emphasis on event-based training. For more information about Haekka, schedule a demo with one of our founders today!