Adopting human-centric security

As businesses adopt new technologies and adapt their ways of working to take advantage of the latest digitalisation trends, the unfortunate truth is that they are increasing their cyber risk.

Attacks like phishing, Business Email Compromise, ransomware, and credential stuffing are all on a rapid upwards trajectory. They target employees and exploit poor network security to gain network access and to move laterally through the organisation to high-value targets.

Defending your organisation against attack requires all team members to be vigilant and to continuously practice good cyber hygiene. This helps to create a first line of defence at the edge of your network: the human firewall. Yet, the human firewall shouldn’t be perceived as the sole solution for improving cybersecurity. Recent research by Grant Ho et al. suggests that “anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.”

To improve the effectiveness of your cybersecurity training efforts and strengthen your human firewall in the face of an increasingly sophisticated cyber-threat landscape, adopting human-centric security strategies is essential.

Human-centric security is an approach that prioritises understanding and addressing human behaviour within the context of cybersecurity to enhance security and privacy. It recognises the critical role of human factors and focuses on adapting to human behaviour, psychology, and interaction to build a security culture that empowers employees, reduces human errors, and mitigates cyber risks effectively.

One key application lies in bridging the boardroom communication gap. As the frequency and severity of cybersecurity incidents continues to rise, boards and executives are increasingly adopting outcome-driven metrics to enable stakeholders to draw a straight line between cybersecurity investment and the improvement in organisation protection levels.

Clear, simple policies and procedures support human-centric security strategies. They help to overcome the complex world of legalese and technical jargon that often makes it impossible for the average user to understand security and privacy messages and policies in organisations.

Human-centric security accepts that users often don’t apply what should be a best practice in favour of just getting on with it. Clear, understandable communication makes it easier to adopt best practices. For example, at BT we make an effort to simplify language and focus on fundamental principles when educating our workforce.

It is also crucial to ensure that policies are updated to address contemporary challenges like cloud services and impersonation threats during virtual meetings. Obsolete policies undermine human understanding of best practices, so organisations must make sure employee education and awareness programmes stay up to date with policy changes.

When it comes to your human firewall, there are four groups that you’ll need to think about when applying human-centric security strategies. The first is your general user community. They are your first line of defence, and human-centric security awareness training coupled with a blameless culture is critical to switching on your ‘human firewall’.

Second is the skillset and capacity of your cyber team. Do they have the right training to get the best out of the tools you’ve got (and are planning to deploy)? And, more importantly, do they have the bandwidth to manage the current alert load?

Closely aligned to this are the skills of your managed security services partner. Are they freeing your team up to give them time to concentrate on higher-value activities? And are they supporting you with proactive enhancements to help improve their services? This is where experienced managed security partners can really help you by taking on a lot of the heavy lifting in implementing an advanced cyber maturity programme.

Lastly, consider the executive cyber mindset. Is the executive team on board with the strategy? Have you been able to clearly articulate the benefits and provide regular progress updates demonstrating real risk reduction from your cyber security investments? Top-level buy-in is crucial to continuity.

As navigating the cyber threat landscape becomes increasingly complex, organisations can’t rely exclusively on a human-centric approach, as the human firewall is just one element of an encompassing approach to securing a business network and preventing cyberattacks. There is a lot more to done; and yet there’s never been more pressure on CIOs and CISOs to enhance operational resilience underpinned by human behaviour change.