Organizational cybersecurity is only as strong as its weakest link. I agree with that. What I disagree with, however, is that people are the weakest link. This is because you pretend that the employees are to blame when things go wrong. As if they can be blamed, which is not the case. People are people. They exhibit certain behaviors and yes, cybercriminals take advantage of that by manipulating and misleading people. But by saying that people are the weakest link, you misunderstand that people are the most important link. We can’t do anything without people. It is therefore important to design your IT infrastructure in such a way that the weakness of human behavior is overcome. In this way, you create space to strengthen people as the most important link.
Man as the strongest link
Approaching people as the strongest link may be a different approach than you are used to. It requires a different security approach and perhaps even a change in your culture. By seeing people as the most important link, you exploit their potential. While you can mitigate many risks with technology, this is never completely watertight. Blind dependence on technology can even create hypocrisy. Therefore, it is important that people are put in the right place in the entire chain of security measures. By leveraging each element – human or technology – you raise your cyber security to the highest level.
Everyone is tech savvy
Using people the right way in the chain of security measures starts with awareness. The behavior that people display can be potentially weak. To prevent people from kicking in open doors, a basic level of knowledge and skill is required. In other words, it is important that everyone is technically savvy. This cannot be achieved with a single programme, but with a mutual approach. Cybercriminals are continuously professionalizing themselves. This means that the open doors always look different, and it is important that the employees are involved in this. By citing specific examples of the business in which someone operates, you can see that the number of times things go wrong decreases. You know it will never be zero, but you can drastically reduce the number of incidents with more awareness. Provide creative and interactive forms of training, for example using virtual reality or games. This way you keep people on their toes and the information stays better.
I already mentioned it: this approach may require a different culture. An open culture is important to get the most out of human strength. You want people to keep their eyes and ears open to identify risks. But not only that, more importantly, they dare to report things. If they see something crazy in the organization or if something has gone wrong with them themselves. Make it clear that anyone can open the wrong email or link and that it’s good to report this right away. Reward people who make a report and make sure something is done about it. If reports are not handled, employees get the feeling that there is no point in reporting anything. And then you lose a great strength of people: their signaling function.
In the right place
Finally, from an IT perspective, it is important to see people as the strongest link. On the one hand, people must be included in all security measures, on the other hand, security must also be included in everything. The latter is definitely something that is changing. In the past, security was something to do with it. It was later turned into IT solutions. Now security is increasingly becoming part of the whole. Fortunately, this is reflected in courses where safety is a regular part of the curriculum instead of an elective. This turnaround is extremely important to get things right from the start and to put people in the right place as the most important link.
Do you as an organization want to strengthen people as the strongest link? So two things are important. First of all, involve people in the applicable security measures. In addition, it is important to create a culture where employees are aware of suspicious reviews. And a culture where awareness of digital security is promoted every day. How to use the most important cyber security measure the right way.
Author: Dennis Pieterse, Chief Information Security Officer at Conclusion Enablement