What Role do Humans Play in Ensuring Cybersecurity?

Human behavior is a significant variable in any organization’s cybersecurity program. People have the potential to create serious issues through negligence or harmful intent, but they can also play a vital role in keeping an organization’s information assets secure. Those IT and information security professionals whose day-to-day roles place them at the forefront of preventing the theft and misuse of information are essential, as are the technologies they use. However, regardless of a person’s job description or the size of their organization, there are some key human behaviors that can be helpful in supporting the cybersecurity of any organization.

Understand the Business

From a security perspective, there is no substitute for employees understanding the objective of the business and how it operates. Employees who are educated and experienced around business processes understand what should be happening, and subsequently, they can recognize that:

• A particular action is unsafe, irresponsible or suspicious
• Certain information should be kept confidential
• Other parties should be consulted for advice or authorization

If employees work in a vacuum without understanding where their duties fit into the organization’s big picture or how their responsibilities interact with others, they are less likely to have a sense for potential security risk and to feel comfortable raising issues to the appropriate people. Therefore, educational programs such as internal seminars and cross-training that increase employee knowledge of the whole enterprise can enhance security.

Be Aware

Generally, employees who are unaware are more likely to be exploited by a cybersecurity threat. That lack of awareness can be related to not perceiving a threat or not knowing what to do about it. At the most basic level, organizations must make their employees aware of the code of conduct and the policies and procedures relevant to cybersecurity, but they should not stop there. Employees also need to understand that real threats exist and employees can make the organization safer by following policies and procedures.

Social engineering attacks such as email phishing are common because they continue to be lucrative. In 2019, organizations lost more than US$1 billion to email phishing,¹ and perpetrators are working constantly to vary and improve their tactics. That is why, from the organization’s perspective, security awareness training should be regularly communicated in logical, digestible ways and incorporated into multiple communication channels that are easy to refer to and access.

However, awareness training should not be limited to passive, one-way communication. Employees share the responsibility for understanding their duties and their environment as it relates to cybersecurity, even as the business is responsible for making them aware. In addition to being familiar with policies and procedures, all employees should take an active role in learning about potential information security threats they may encounter and not just consider it the IT or security team’s job. This has become more important in the past year as a significant portion of the workforce transitioned to working from home amid the COVID-19 pandemic. According to a recent Institute of Internal Auditors (IIA) report, the pandemic has, in many cases, made IT support more difficult for employees to get, made devices more difficult to inventory and control, forced employees out of their technology comfort zones, and made it more difficult for some organizations to disseminate security awareness training—all of which lead to increased risk.²

Follow Policies and Procedures

Being aware of corporate policies and procedures is one thing—behaving accordingly is another. Perhaps the most fundamental responsibility people have as it relates to cybersecurity is simply to adhere to the organization’s policies and procedures and codes of conduct. Just to name a few, employees are expected to follow protocols for:

• Logical access controls/password management
• Timely deletion of digital files and data according to retention policies
• Installing software updates in a timely manner
• Avoiding the use of unsecured devices and open- source software
• Avoiding/reporting email phishing and other suspicious activity
• Obtaining proper authorization for the sharing or use of sensitive information or equipment

Although the duty of compliance is seemingly straightforward, there are a number of reasons why people may fail to follow formal policies and procedures. In some cases, employees may be unaware that their actions are a violation of policy. In other cases, employees may take shortcuts or use workarounds because they are under pressure and more focused on getting the job done than following policy. Sometimes, employees do not comply with a particular policy because they do not think it makes sense or is important. Regardless of the reason, if the organization does not promote a culture that prioritizes compliance with information security protocols, and if leaders do not model and reward that behavior, then employees may feel safe or empowered in taking shortcuts or ignoring policy. As noted in a recent IIA Practice Guide, “The issue of conduct is not easily separated from an organization’s culture; rather, it is a distinct segment of culture as a whole.”³

In addition to managing their own conduct, employees should also understand that they have a duty to make their organization aware of security threats and issues, and that means speaking up when necessary.

ONE OF THE MOST HARMFUL THINGS EMPLOYEES CAN DO FROM A SECURITY PERSPECTIVE IS NOT SPEAK UP WHEN THEY SEE SOMETHING THAT DOES NOT SEEM RIGHT.

Speak Up

One of the most harmful things employees can do from a security perspective is not speak up when they see something that does not seem right. IT leaders report that information security issues are most commonly rooted in employees’ misuse of IT resources and the infection of organization devices with malware.⁴ Often, these are cases of careless or negligent misuse, but they can also be cases of employees working maliciously against their own organization. To make matters worse, many organizations around the world say their employees stay quiet about cybersecurity issues they experience rather than informing IT or other relevant personnel.⁵

Employees who do speak up are among the most effective defenses against attackers, both high and low tech. The longer it takes for a cybersecurity issue to be identified, the more damage it is likely to cause. Employees can take an active role in protecting their organizations by calling attention to issues via the proper channels. For example, tips are still by far the most effective way that occupational fraud is initially uncovered despite advancements in continuous monitoring and artificial intelligence (AI).⁶

However, people will not feel empowered or motivated to speak up if they fear that their good- faith effort will be met with reprimands or retaliation. Therefore, as is the case with compliance, an organizational culture that rewards and protects ethical behavior and accountability goes hand in hand with effective cybersecurity.

Investigate and Follow Up

Some of the most important roles people play in an organization’s cybersecurity efforts are following up on incidents and assessing the effectiveness of controls. These roles extend beyond IT and information security teams to internal audit, business management and other functions of the organization.

When a cybersecurity issue arises, people have the ability to identify root causes, determine what lessons can be learned and apply that learning to take corrective action and modify controls if needed. Meanwhile, internal audit functions are responsible for assessing whether information security policies and procedures are being adhered to and whether the control structure is sufficient and effective, then advising the organization on risk and possible action items. People’s ability to learn from experience is vital to the effective use of technological cybersecurity solutions.

Conclusion

Technology has the capability to detect cybersecurity threats that humans alone cannot. Conversely, people who understand the mission, culture and operations of an organization can perceive threats that technology may miss. Ideally, creating synergy between the two will maximize effectiveness. To accomplish this, all the organization’s employees must see themselves as integral members of the cybersecurity team and understand how their actions can make their organization’s information assets more—or less—safe.

PEOPLE’S ABILITY TO LEARN FROM EXPERIENCE IS VITAL TO THE EFFECTIVE USE OF TECHNOLOGICAL CYBERSECURITY SOLUTIONS.

Endnotes

¹ Vukovits, F.; A. Meyer; Security in a Work-From-Home Environment: IT Must Adapt to New Threats and Challenges, Global Knowledge Brief From the Institute of Internal Auditors (IIA) and Fastpath, USA, 11 November 2020, http://global.theiia.org/news/Pages/Global-Knowledge-Brief-from-The-IIA-and-Fastpath.aspx
² Ibid.
³ The Institute of Internal Auditors (IIA), Auditing Conduct Risk, International Professional Practices Framework (IPPF) Supplemental Practice Guide, USA, May 2020, http://iia.no/wp-content/uploads/2020/06/2020-PG-Auditing-Conduct-Risk.pdf
⁴ Kaspersky Daily, “The Human Factor in IT Security: How Employees Are Making Businesses Vulnerable From Within,” http://www.kaspersky.com/blog/the-human-factor-in-it-security/
⁵ Ibid.
⁶ Association of Certified Fraud Examiners (ACFE), Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse, USA, 2020, http://acfepublic.s3-us-west-2.amazonaws.com/2020-Report-to-the-Nations.pdf

Kevin M. Alvero, CISA, CDPSE, CFE

Is senior vice president of internal audit, compliance and governance at Nielsen Company. He leads the internal quality audit program and industry compliance initiatives, spanning the company’s Global Media products and services.