More safety culture to reduce risk

Behavior and human error facilitate the success of cyberattacks. Improving awareness as a strategy to reduce cyber risk

That the crucial role of people who unknowingly facilitate success in cyberattacks is now a fact: the statistics derived from “Verizon Data Breach Investigation Report 2021“Show the centrality of the human factor in 85% of the analyzed cases, related to episodes of data breaches. Also in the report published this year, this percentage was significantly confirmed. These figures are affected by cases of attacks related to stolen credentials, phishing or human error Over the past few years, organizations have focused their investments on securing new technological solutions in compliance, but have neglected staff training.

On the other hand, there has been a rapid transition in the management scenario for ICT solutions to models for outsourcing non-core activities, accompanied by the global proliferation of cloud and mobile technologies. In addition to this, the pandemic emergency has had a disruptive effect on the traditional work organization by confirming the collaboration model in smart work mode, which, while allowing organizations to mitigate the consequences for the company’s business continuity, has actually further weakened the defense. . Surely the delivery model, cloud SaaS, of the most widely used e-mail service helps to make the control of the authenticity of messages more complex, also by virtue of the imperfect understanding of the responsibility (customer and supplier) in the use of these services. If we then add the human tendency to “believe reliable” even unsolicited communication (the PPP factor – Phish Prone Percentage – in the absence of specific training is between 15 and 40%), then the attackers’ financial motivation, growing complexity of information systems and difficulties with monitoring abnormal behavior, the picture becomes very complex to deal with. It is known that the issue of cybersecurity must be addressed according to an interdisciplinary approach, in synergy between the functions responsible for managing security, ICT, human resources and law.

It would therefore be appropriate to support the HR function, which proposes the integration of innovative cybersecurity awareness platforms that enable the effective reach of the company’s population as an alternative to the provision of traditional training, which may no longer be relevant, a few months after its . These platforms provide for the structuring of training through micro-sessions that can be followed without major impact on work activities; the content is made available, always updated in different languages ​​and formats (newsletters, videos, series, games, team challenges) to guarantee the right level of commitment. The verification of the learning level, the purpose of the training, takes place through test sessions or simulations of phishing and other types of attacks. The intervention makes it possible to improve the level of the company’s safety culture with the aim of improving its efficiency over time according to the criteria that can be referred to the “maturity model”, which is defined by the work of the SANS Institute. In more structured companies, the role of “Security Awareness Professional” expands, in addition to the more classic roles of Information Security Manager (CISO) and the operational security manager, also for the purpose of handling the so-called “human”. risk “and ensure the management of interventions over time. Some insights into the scenarios and their characterization can be found in “Security Awareness Report”.

Roberto Obialero CLUSIT steering group

Leave a Comment