The Risk

Cybersecurity threats just keep coming. When security experts gather around our virtual roundtables to discuss operational risk, there is always a unanimous pronunciation: it’s not a matter of “if” a company will experience a security breach; it’s “when.”

The data is bleak. Breaches are making headlines with increasing frequency. Take this year’s mess of cryptocurrency hacks and thefts. Or the intense disruption ransomware events wreaked upon Costa Rica, pushing the country to declare a national emergency. Both of these incidents are listed amongst the worst breaches of 2022 so far, according to Wired.

And no one sees it slowing down. Predictions from Cybersecurity Ventures say hackers will be hitting a consumer or business every two seconds by the year 2031. The current hack rate stands around one attack per 11 seconds (still a sickening statistic).

Shifting Perspective

When discussing the breadth of cybersecurity threats driving operational risk, leaders often jump to technical solution talk. What tools do we need to secure the enterprise? Which systems need the most protection?

But more and more, security proponents are driving the conversation down a different lane: the human aspect of risk.

“You can’t technology your way out of a human mistake.”

That’s exactly the perspective a panel of sharp, security-minded executives explored at a recent Meet the Boss roundtable discussion sponsored by Broadcom. Attendees at this panel included heads of security from multinational financial firms and insurance institutions, as well as a security director from tech giant Broadcom. Conversation centered on how to mitigate the human behavior component of operational risk and cybersecurity, because, as one executive put quite perfectly, “you can’t technology your way out of a human mistake.”

Assets & Liabilities

As business leaders often say, people are an organization’s greatest asset. But in today’s digital landscape, where cyber risk increases year over year, people are also becoming an organization’s greatest liability.

Nothing spells this out clearer than the numbers from Verizon’s latest Data Breach Investigations Report. According to the telecommunications provider, a robust 82% of all breaches involve a human element. This encompasses employee oversights like using easy-for-criminals-to-guess passwords, or clicking on an infected attachment. In fact, according to Verizon, most cyberattacks – 66% – involve phishing, stolen credentials, or ransomware.

The report also shows more than half of all breaches are perpetrated using remote access or web applications, which, in this burgeoning distributed workplace era where we work from anywhere, could signal the beginning of a threatening trend.

One of the delegates on our panel, all of whom head up security or risk domains within their firms, noted how frequently he’s observed employees breaching security protocol just by trying to make it easier to work remotely. With no malicious intent involved, employees have exposed sensitive information when discussing or working on projects that should have been confidential, in shared or public spaces.

Saving company information to USBs was another potential pitfall flagged by a panelist, along with the ubiquitous sharing of credentials, which employees often do not see as a breach of protocol when giving their password to a friend in the office.

Combatting Human Risk

While the opportunities for human errors are vast, the security leaders on this roundtable session say we are not doomed. In fact, they’re hopeful. Panelists agree that tools and technology will always play a role in reducing operational risk, but they say organizations will significantly bolster security when they increase focus on their people.

This focus must extend far beyond security trainings, however. It’s not enough for employees to learn how to recognize cyber risk and understand how to report phishing emails. Security teams should aim to empower employees, to make them feel like they are part of overall organizational efforts to reduce risk. As the executive from Broadcom offered, cybersecurity needs to shift to be more personal for people. Associates need to think, what is the risk to me, versus the company. They need education that inspires them to protect themselves.

And they need personal rewards, as well. When an employee takes steps to keep the organization safe, like reporting a suspicious email, celebrate that employee! One executive put out a company-wide announcement when an associate foiled a potential phishing attack by forwarding the mal-intended email to a security manager.

Make the C-Suite Care

Finally, for lasting change, leaders around the roundtable say risk and security leaders must start to measure the impact of the actions they’ve taken. What have employees started doing differently to protect company data? How many further breaches (and dollars) were spared when security-conscious workers thwarted attacks by knowing when not to click? This is the type of data senior-level executives need to hear. Not only will they be more likely to promote a culture where security is everyone’s job, but it will go a long way toward getting the buy-in these teams need to get more funding for these types of projects, as well.