AIG’s report, Human Cyber Risk – The First Line of Defense explores in depth the cyber 'human factor' and concludes it is time to take a new approach to addressing the human side of cyber risk, by identifying and addressing the underlying root-cause: human behaviour.

Such an approach has never been more relevant, as organisations work with their staff to ensure business continuity and employee safety in the current environment.  

The report replaces the term 'human error' with 'human factor' in an attempt to move away from negative connotations.

Key points

  • The term "human error" is too often used to imply that employees are to blame for cyber breaches. In reality, inadequate security cultures facilitate people-centred attacks
  • At a time of increased home working, staff are more vulnerable than ever to exploitation by malicious actors 

What is the human factor?

The human factor has less to do with actual error and more to do with inadequate security cultures and the exploitation of human behaviour and goodwill. By better understanding these vulnerabilities, more can be done to address them and build greater cyber resilience.

Cybercriminals are generally motivated by monetary gain and seek the easiest methods of extracting what they want. They are highly-motivated, highly-skilled and have unlimited time and resources. It is easier for them to pick up the phone and impersonate an official or technical support to get what they want, than it is to spend months trying to hack in using brute force.

Perpetrators of business email compromise (BEC), for instance, often target individuals responsible for sending payments. Through social engineering, they use psychological manipulation to encourage users into providing information or making a financial transaction. Simple measures, such as ensuring all electronic payments need a second manual authorisation, can protect staff.

Employers need to consider the psychological levers that cybercriminals pull when they use human behaviours to trick employees into clicking on links and giving away passwords . They need to place users at the heart of their cyber security strategy, both in terms of security protocols and training and awareness.

The onus is on employers to ensure end-users have the knowledge and skills they need to keep themselves and their businesses secure. 

Managing internal threats, such as training staff to identify phishing emails, to improve password hygiene and protect the network against unsecured devices takes up time and resource.

In order to deliver a robust cyber security program, it is important for different departments to collaborate more. By making cyber security a company-wide challenge, with staff the first line of defence, firms can free up time for their IT departments to focus on strategy and managing external threats.

The onus is on employers to ensure end-users have the knowledge and skills they need to keep themselves and their businesses secure

Cyber risk and home working  

Increased home working heightens employees’ risk to exploitation by malicious actors. These risks have come to the fore as governments have imposed restrictions. 

Hackers are looking to take advantage of the current chaos and uncertainty by preying on people's natural fears. The EU Agency for Cybersecurity has warned that home working presents new challenges, with attackers using concerns around Covid-19 in phishing emails and other scams1.

Employers and their staff should be alert to these scams as well as all the usual pitfalls of day-to-day cyber security, ensuring staff continue to use two-factor authentication and strong passwords, for instance. 

Research has shown that mobile device users are more susceptible to phishing and social media attacks than desktop users, due to screen size and restricted information. The risks associated with mobile devices, including tablets and smart phones, is clearly more of an issue for organisations at times when large numbers of staff are working remotely. 

Staff should be sent regular reminders of what to be alert to from a cyber security perspective, and what to do if they inadvertently click on a link in a phishing email or suspect they have been targeted by a cyber attack.

In normal times, businesses can carefully consider their technology requirements when introducing or expanding flexible working practices and setting 'bring your own device' (BYOD) policies. This is not as easily done during an emergency. 

When staff are suddenly forced to work remotely, they may need to rely on personal devices and/or unsecured wireless. These are unlikely to have the same protections as those in the workplace, or the same capacity to monitor activity. 

In order to maintain high standards of IT security, firms must work with their employees to ensure personal devices are secure, particularly when accessing company networks.

As the cyber threat landscape grows and evolves, the most resilient organisations will be those that tackle the threat on both a technological and behavioural level, working collaboratively across organisations, with buy-in at every level. The tone of any organisation’s cyber security culture should be set at the top with Boards taking an active role in how they are addressing the cyber human factor. 

For more information on how Boards need to manage their cyber risk please see Cyber Risk Oversight 2020: Key Priorities and Practical Guidance for European Corporate Boards from the ISA (Internet Security Alliance) and Ecoda (organisation representing the main national institutes of directors in Europe).