The pandemic has upended the entire field of cybersecurity and a newly released National Science Foundation study is now shedding light on the human error component of cybersecurity breaches. “It’s an important study because anytime we can understand why people are committing errors, then we can commit to correcting these errors,” says Terry Wilkins, a cybersecurity expert in Las Vegas, who has read the study.
The study concluded that switching from traditional office environments to work from home and hybrid scenarios created stressful conditions where employees had to modify their living space to be more conducive to work. “Many organizations were ill-prepared to handle these changes as leaders grappled with threats to operational effectiveness and cybersecurity with so many employees working on sensitive tasks and systems from makeshift offices,” the report says.
This contributed to many of the problems that were experienced by businesses, Wilkins adds, telling SmarterMSP, “We had C-suite executives working out of walk-in closets, bedrooms, and breakfast nooks on an ad hoc make-up-as-we-go-along basis. That is hardly a recipe for cyber success.”
Inconsistent compliance points to need for policy changes
The National Science Foundation’s research examined the changes to daily work and how they impacted overall compliance with cybersecurity protocols. Some key findings of the report include:
- 95 percent of employees adhered to their organizations’ cybersecurity policies at any moment. “This is significant because it shows that employees are tuning in and absorbing the cybersecurity training and listening to protocols. I was surprised at how high this number was,” Wilkens says.
- However, the numbers tell a different story when diving deeper. At any one time, compliance was 95 percent, but the number fell off over time, closer to 66 percent.
The study states: “The project also discovered that during the days employees had at least one task wherein they failed to comply with cybersecurity policies, they failed to comply in one out of every five work tasks on average that day.”
“That is more in line with what I would have expected. But the reasoning for the `cyber-sloppiness’ is interesting,” Wilkins points out. The study shows that: “the overwhelming reason for nonadherence was that employees needed to obtain something to complete their daily tasks, and cybersecurity policies impeded those needs.”
Wilkins notes this shows a need for more `user-friendly’ cybersecurity policies and procedures to not only reduce stress, but improve compliance, too.
“MSPs and CISOs must find the `goldilocks zone for cybersecurity. If you make it too onerous, people won’t comply, but hackers will have a field day if it is too lax. It’s trying to find balance,” he says.
Reducing employee stress is an important part of prevention
One of the report’s main findings is that stress was a leading cause of the errors. Often the stress has to do with deadlines, job security, and company culture. The report shows that very few cybersecurity incidents were caused by malicious intent.
Indeed, a Stanford University report in 2020 found that stress or lack of sleep contributed to 44 percent of overall cyber incidents. “Stress as a cause is where cybersecurity needs to be viewed holistically,” Wilkins emphasizes. “Yes, 2FA and patching is a key part of cybersecurity, but so is security training and weight training.”
In other words, while MSPs should primarily focus on their core mission, there is something to be said for looking at the big picture. “I’m not recommending MSPs start giving out gym memberships and hiring personal trainers, but a whole, healthy employee leads to one that is less stressed and makes fewer errors. MSPs need to look at as many tools as possible in the toolkit to harden cybersecurity defenses,” advises Wilkins.
Among the tools Wilkins recommends are:
MORE SECURITY TRAINING: The importance of a comprehensive and consistent cybersecurity regimen can’t be overstated. It is the cheapest, most effective defense. “The goal is to make cybersecurity as second nature as brushing one’s teeth in the morning,” Wilkins states.
During training is an excellent time to address “the whole package.” “It is while training employees that we have the best opportunity hit upon the whole employee, the importance of getting enough sleep, making family time, taking care of oneself physically,” he says.
CREATING A COMPANY CULTURE: Wilkens stresses that this take time and effort, but it is worthwhile. “You want to create a company culture where cybersecurity is valued and venerated,” he advises. “Conduct simulations so that employees can participate. We have a fire, tornado, and active shooter drills, and there should be cyber-drills.”
There also needs to be accessibility to the cybersecurity team, an engaged and active help desk, and plain language. “The average person doesn’t know what polymorphic malware or spear phishing is, so managers to speak in a language that resonates and has relevance,” Wilkins adds. “Otherwise, you risk losing people, and once you do that, the risk of sloppy cyber-hygiene increases, and with that comes the risk for a breach.”
Photo: KieferPix / Shutterstock