The human element: Why Employee Mistakes Are The Biggest Cybersecurity Threat and How Training Can Make a Difference

With almost 88% of data breaches being caused by an employee mistake, a strong human risk management program is with regular employee training and cybersecurity awareness is critical, says Carey van Vlaanderen, CEO of ESET Southern Africa.

Ask any cybersecurity specialist about their biggest network safety concern, and it’s likely that they’ll answer: the human element. No matter how resilient or intelligent the cybersecurity solution is, it can only be as effective as its weakest link, and people are always a risk. Whether it’s recycling passwords, a company laptop being stolen or lost with confidential client information, or intentionally overriding company security policies - humans are the biggest threat in the cybersecurity space. Chief Security Officers, CIOs, and individuals in similar positions of responsibility spend a lot of their time worrying not about technology, but about people.

Humans make mistakes. These mistakes range from failure to properly delete data from devices to preventable errors like clicking on links in phishing emails, to misconfigured network devices and servers. Humans are also capable of negligence, unfortunately. Data leaks that arise because of human error, such as failure to update security patches or correctly configure servers with known vulnerabilities, are on the rise and now occur almost as frequently as direct security attacks. Then there’s insider threats, which are unimaginably difficult to detect. From malicious employees or an employee whose credentials have been compromised, all of these vulnerabilities share a common root: humans.

Managing human risk from the inside

An effective program for managing human risk involves several key components. These include providing regular training and increasing employee awareness, establishing clear policies and procedures, maintaining efficient communication channels, developing plans to respond to security incidents, and conducting regular security assessments to identify and minimize potential risks.

Other necessary steps include implementing robust access controls, monitoring network activity, reviewing, and updating security policies while fostering a culture that prioritizes security. Cybersecurity awareness and training work hand-in-hand to address the human element of risk in a number of ways:

1. Prevention of human error: Awareness and training can help employees understand their role in maintaining security integrity and avoid common mistakes that can lead to breaches. For example, they can learn how to create strong passwords, how to identify phishing emails, and how to properly handle sensitive data.
2. Early detection: Cybersecurity awareness and training can teach employees how to recognize and report suspicious activity. This can help identify security incidents early, allowing for a quicker response and minimizing the impact of an attack.
3. Improved incident response: Employees who have received cybersecurity training are more likely to know how to respond to security incidents by following established procedures and protocols to minimize the damage caused by an attack.
4. Creating a culture of security: Cybersecurity awareness and training can help create a culture of security within the enterprise. When employees understand the importance of security and their role in maintaining it, they are more likely to take it seriously and make it a priority.

Focusing on managing human risk and security training requires strong leadership from within. Leadership commitment is a key ingredient in achieving the organizational momentum needed to create an ongoing culture of learning and growth. With executive buy-in, sustained investment is possible in the necessary training and development resources such as courses, workshops, and mentorship programs.

Balancing security training and production

With the increasing tech talent shortage in Africa, CIOs are scrambling to ensure that employees brush up on skills and technologies that facilitate business agility and resilience, with cybersecurity knowledge topping the list, despite competing priorities.

Training and upskilling need to be a deliberate exercise, but small teams are often vulnerable to the delivery pressure created by the current needs of the business. This means that critical training (such as cybersecurity training) takes second place behind current projects, which results in a short-term productivity gain at the expense of long-term skills progress. Creating a balance of short-term project delivery and upskilling/training as outputs to current projects is essential.

Constant vigilance and continuous learning

By providing regular cybersecurity training and increasing employee awareness, organizations can prevent human errors, detect incidents early, improve incident response, and create a deep culture of security. As cyber threats increase in complexity and frequency, investing in security skills training is a critical step toward ensuring the protection of people, assets, and data from threats, both internal and external.

About ESET

For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, encryption, and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centres worldwide, working in support of our shared future. For more information, visit www.eset.com/za or follow us on LinkedIn, Facebook, and Instagram.