The cyber battlefield is always evolving, with attackers exploiting new vulnerabilities… and the old ones you still haven’t fixed. We often focus on “tech marvels” (or shiny objects) in this fight. But don’t overlook a crucial element: the human.
Humans – The Double-Edged Sword
On one hand, humans are the weak link. We can be tricked by phishing, socially engineered, or simply forget secure practices. Verizon’s Data Breach Investigations Report reveals that a whopping 95% of breaches in 2023 involved the human element. Unfortunately, this statistic is nothing new. I have seen similar stats for 10 years, and they broadened my thinking from a CTO who was very tech-focused to a broad thinker who still enjoys tech but understands the critical importance of the human element.
On the other, humans can be a strong line of defense. They can spot weird activity, report concerns, and make decisions in dynamic situations. In short, technology alone cannot win the cyber war; it needs people by its side. And while I’m excited about the potential of AI, I’m not going to bet against humans or assume AI can keep us all protected.
Beyond Phishing Tests: Building a Secure Culture
So, how do we equip our workforce? Ethical phishing is the tip of the iceberg. Sadly, many companies have bought a phishing tool with out-of-the-box training and called it a day. We need a holistic approach to workforce awareness, behavior change, and cultural transformation.
Starting tips:
- Brand it Boldly: Don’t miss the power of a captivating brand. Craft a cyber campaign with a clear message, relatable characters, and engaging visuals. Use gamification, storytelling, or even mascots – anything that stands out.
- Speak Their Language and Meet Them Where They Are: Information overload is real. Go beyond dry emails and wordy PDFs. Use videos, infographics, audio clips, quizzes, and in-person workshops.
- Champions for Change: Leverage champions inside your organization: influencers to spread awareness, field questions, and teach peers secure practices. They become your boots on the ground, building security culture from the inside out.
- Think Outside the Box: Ditch the corporate speak – think unconventional campaigns. Organize a cyber escape room, a social media challenge, or a “security hero” contest. Go capture attention, ignite curiosity, and spark action.
- Measure & Adapt: Define clear Key Performance Indicators (KPIs) and Key Result Indicators (KRIs) to track the impact of your initiatives. Analyze what’s working, what’s not, and continuously improve.
Humans and tools, working together, form a strong shield against cyber threats. By prioritizing the human factor, building a culture of security, and empowering your workforce, you transform your employees from vulnerabilities into assets in the fight for cybersecurity.
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.
317.759.4453
About the Author
Cody Rivers is a Consulting Director at Reveal Risk. Cody helps lead a consulting practice that specializes in creating and maturing cybersecurity programs that focus on risk reduction while aligning their work to client budget realities.
Prior to joining Reveal Risk, Cody served as Chief Technology Officer (CTO) for a successful Midwest-based IT Managed Services Provider (MSP) with clients that spanned the US and Western Europe. While there, he built the cloud security practice that assisted clients to overcome technical obstacles on their path to security maturity and regulatory compliance.
Cody’s experience spans 15+ years working with local professional sports teams to Fortune 1000 companies in nearly all major industries. He’s worked within such frameworks as SOC, NIST, and SOX. In 2021, Cody was recognized as a CTO of the Year by the Indianapolis Business Journal.
