The following article comes from the Harvard Business Review by Alex Blau. Alex brings up great points for any business. I have taken some excerpts below:
“Cybercrime is here to stay, and it’s costing American firms a lot of money. The average annualized cost of cybercrime for global companies has increased nearly 62% since 2013, from $7.2 million to $11.7 million.”
“Governments and industry are doing what seems like the obvious thing to do — spending billions of dollars to develop and implement new technologies designed to stop the bad guys before they can get through the front door. Yet, even though we have some of the best and brightest minds on the case, there are still major limitations to what we can do with silicon and code. Despite our predilection for using technology to solve what appear to be technological problems, one lament that echoes in information security circles is that we’re not doing enough to deal with cybersecurity’s biggest, most persistent threat — human behavior.”
….”If it wasn’t an engineer inadvertently building a vulnerability into a piece of software, it was an end user clicking on a bad link, falling for a phishing attack, using a weak password, or neglecting to install a security update in a timely manner. Attackers didn’t need to break down a wall of ones and zeros, or sabotage a piece of sophisticated hardware; instead they simply needed to take advantage of predictably poor user behavior.”
“One major insight from the fields of behavioral economics and psychology is that our behavioral biases are quite predictable. For instance, security professionals have said time and again that keeping software up-to-date, and installing security patches as soon as possible, is one of the best methods of protecting information security systems from attacks. However, even though installing updates is a relative no-brainer, many users and even IT administrators procrastinate on this critical step. Why? Part of the problem is that update prompts and patches often come at the wrong time — when the person responsible for installing the update is preoccupied with some other, presently pressing issue. Additionally, when it comes to updating our personal computers and devices, we’re often provided with an easy “out” in the form of a “remind me later” option. Because of this small contextual detail, users are much more likely to defer on the update, no matter how critical. How many times have you clicked on the “remind me tomorrow” option before finally committing to the update?”
“Turn awareness training into a constant feedback system. One major insight from behavioral science is that if you provide someone training, you might increase people’s knowledge, but you aren’t likely to change their behaviors. Often awareness training happens something like this: once a year, employees get into a room for an hour or two and get lectured at by a professional awareness trainer, only to go back to their workstations and ignore most of what they were taught. There are many reasons why this might happen: people have limited attention and can’t absorb all the information they just learned; they may not have a concrete sense of how to make what they learned actionable and so don’t change their behavior; they may be overconfident that none of the risks they learned about apply to them in particular — “it will never happen to me!” — and the list goes on.
“If we keep trying to use technology to solve what are in reality human problems, we’ll continue to remain vulnerable to attacks. However, if we take an approach that looks at the context in which human beings are liable to make mistakes, we will be more likely to find sustainable solutions that will keep ourselves, and our enterprises, safe from the bad guys.”