Humans are extremely complex beings. Each one is different, possesses the ability to do good, or bad; to absorb knowledge or fail to understand basic concepts. They are also subject to manipulation, biases and extremes of emotion. Ultimately, as much as we’d like to believe we understand them, they are more likely to surprise us by their actions and behaviour.
So, you may ask, what does this have to do with cybersecurity?
Humans are the weakest link in your security chain. One individual’s actions – intentional or not – can wreak havoc in your network, cause irreparable damage to your business and, in a worst case scenario, bring a business to a standstill.
Human factors and behaviours
Not surprisingly, there are quite a few!
Motivation: Motivation is powerful driver. Every business wants its employees to be motivated and working hard in the company’s interests. The problems start when employees have ulterior motives. For some it may be personal gain, revenge, or even boredom. Their actions may be intentional or unintentional but still compromise cybersecurity – copying or sharing corporate data to a personal drive, sabotaging systems or facilitating third-party access to systems in return for money.
Trust: A lack of trust between employees can have a significant impact on cybersecurity. If employees don't trust each other, they may be more likely to engage in malicious activities, such as stealing or sharing sensitive data. The flipside is that employees who trust too much, may open emails that appear to come from their boss or a colleague; or they may trust a vendor or service provider that has access to the network (who may be compromised).
Bias: Humans are not always rational and take ‘shortcuts’ or biases to arrive at decisions. These biases impact cybersecurity. For example, optimism bias can lead to the false belief that the network is secure because all systems are configured and running. Other examples are availability bias, confirmation bias, aggregate bias and the framing effect.
Responsibility: When employees feel a sense of responsibility for the security of their workplace, they are more likely to take cybersecurity seriously and take appropriate actions to protect company data. On the other hand, when employees feel that cybersecurity is someone else's responsibility, they may be less likely to take appropriate actions to prevent cyberattacks.
Complacency: If employees are not reminded about the importance of cybersecurity on a regular basis, they may become complacent and assume that nothing bad will happen. This complacency can lead to careless behaviours, such as clicking on suspicious links or downloading malicious attachments.
Awareness: When employees are not aware of the risks associated with cyberattacks and the impact that a security breach can have on the company and their personal lives, they are less likely to take cybersecurity seriously and follow best practices to protect themselves and the company. They may use weak or reused passwords, share sensitive information on unsecured channels, download unauthorised software or applications, or leave devices unattended or unlocked.
Overconfidence: Some employees may feel overconfident in their ability to detect and prevent cyberattacks, leading them to take unnecessary risks or overlook potential threats.
Stress: High levels of stress or pressure can lead employees to take shortcuts or make mistakes that can compromise cybersecurity, such as reusing passwords or failing to follow security protocols.
Employee behaviour has a significant impact on cybersecurity in the workplace. While technical measures are important, a business cannot ignore the emotional and behavioural factors that can increase the risk of cyberattacks. IT teams can rely on line managers to identify behaviours that could indicate a problem or potential threat.
By fostering a culture of awareness, education, and accountability, companies can help ensure that employees take cybersecurity seriously and follow best practices to protect themselves and the company.
By addressing the human factor, businesses can help create a culture where employees feel empowered to take an active ‘cybersecurity’ role.