End users get a bad rap with security — for good reason. As a documented statistical weak link, they create 82% of all preventable exposure events, according to Verizon’s “2022 Data Breach Investigations Report.” Given that the most common cause of a data breach is stolen or weak credentials, it’s hard to argue the point.
Humans are emotional, error-prone individuals. They are also the statistical heart of vulnerabilities, breaches, or major incidents and do very little for overall organizational compliance. Since humans are still required to conduct business, it is imperative for organizations to take proactive action to reduce the odds of an event. But what form should that proactive action take?
Traditionally, eager technology practitioners have been quick to attempt to bridge the weaknesses of human nature and manual error by buying a tool, only to find that gaps and risks persist. Technology implemented in the absence of end-user education and good processes didn’t increase their security or reduce their threat level.
Education alone is also not the answer. Empowered end users who are also struggling with unrealistic workloads are prone to errors that naturally increase risks.
The winning recipe for sustainable success demands a combination of both strategic user education and tactical automation of well-constructed processes.
Information Gap
Whether through phone use, online banking, bill payment, goods and services procurement, food or travel logistics, schooling (as a parent, teacher, or student), or as just an everyday consumer with a credit card, most humans have daily interaction with technology. Thus, there is a daily potential risk of a breach.
Consumers take some level of care with their personal information, or what they are comfortable sharing to complete their daily transactions. But everyone has a different level of comfort regarding that data (such as a Social Security number, birth date, address, or credit card number) based on the type of transaction they want to complete. Most consumers acknowledge that minor transactions (groceries, gas, a quick meal out) should need little to no personal information and accept that major purchases (a new home or car) may require significantly more personal data to execute. Most consumers are aware of risks associated with sharing personal data, and many take proactive steps to protect themselves.
In contrast, organizational users (employees and third parties) seem to lack a fluent understanding of what their employer is comfortable with them sharing outside the organization. They aren’t conversant in the types of information that are most critical for them to safeguard on behalf of the company (such as financial projections, intellectual property, and contract terms). Often, they don’t know what information their employer considers sensitive or confidential. Absent clear data classification and user-education campaigns, users are likely to share sensitive company information simply because they weren’t aware it was sensitive in the first place.
Bad actors are well aware of this user knowledge gap, seek to exploit it regularly, and succeed. A common example: the phishing email that requests confidential or sensitive company information. Without understanding common phishing techniques and how to spot them, a user could share information that could harm their employer, rather than identify the potential risk and seek a secondary level of review.
Use Knowledge and Automation in Tandem for Lasting Results
Automation is a critical piece of the security puzzle. However, when it’s implemented on top of a shaky foundation (lack of user understanding and bad processes), it won’t increase security and compliance or reduce risk.
Digital transformation and automation in the areas of access management, authorization, and authentication are foundational needs for sustainable security. But companies must pair them with proactive education to teach the user community why or what they should take care to protect. Tools without knowledge are a big invitation to circumvent defined processes. Publicizing the core values and baseline criteria for protection naturally improves user education. It also results in a higher compliance level across the entire constituent population (employees, third parties, affiliates, and more).
Arming people with the knowledge of what to protect and why they should protect it increases their desire to comply. It reduces compliance violations and creates a culture of support for security initiatives.
When an organization maintains sustainable security, it enjoys increased financial results and efficiency. It’s wise to reward employees through financial bonuses or incentives for contributing to those efforts and reducing breach or criminal activity resulting from preventable events. When employees contribute more to security efforts, it helps organizations better identify where they truly need technological help versus what their employees are fully capable of handling. This level of clarity helps facilitate the deployment of effective automation through proactive security processes, advanced detection, and preventative measures to avoid potential vulnerabilities.
Begin by creating a simple solution to a complex initiative. Identify the building blocks of zero trust and define how and what to care about when. Then communicate it, talk about it, and make sure users understand it. Establishing end-user accountability for security, as well as the tools and protection methods to enhance it, creates an environment of success. It also starts to chip away at that 82%.