WHITEPAPER

Cyber is People – How to Improve Your Most Overlooked Area for Risk

Introduction

In a 2016 paper for the International Journal of Human-Computer Interaction, a research team led by Leah Zhang-Kennedy noted that “Although computer security technologies are the first line of defense to secure users, their success is dependent on individuals’ behavior.”¹ This insight underscores a central truth about cybersecurity that many businesses fail to recognize: technology isn’t a cure-all. In fact, tech is but one piece of the puzzle of an organization’s operational resilience. The key to minimizing your company’s exposure is to ensure that risk is balanced across people, processes, and technology.

Technology is Not a Silver Bullet

When it comes to cybersecurity and risk-management strategies, companies often lean hard into technological solutions. Intuitively, this makes sense—after all, cybersecurity is technical in its very nature. This has given rise to a number of software products that promise to prevent cyber threats entirely with “block and tackle” solutions. But by investing only in the latest technology, the C-suite often ignores one of the most critical vectors of attack: its people.

0 %

of incidents that affected OT and ICS networks resulted from employee error.

(Security Magazine)

0 %

of attacks in 2019 originated from phishing emails

(Cyber Defense Magazine)

0 %

of breaches in 2019 were caused by human error.

(Cyber Security Intelligence)

Sophisticated hackers don’t always need to find an unexpected backdoor open or discover a zero-day vulnerability in the code to break into your system. Too often, they exploit the people operating that technology through malicious phishing attempts, weak passwords, or clever social engineering schemes. Additionally, poor processes and oversight can often be to blame, as was the case in the devastating Solar Winds hack in which an employee failed to change the default security preferences when setting up an email account.

Focusing narrowly on technology-driven solutions can cause an organization to overestimate their resilience and become overly confident in the scope of their potential exposure. When companies don’t consider the risks presented by people and processes, their approach can become unbalanced due to

Spending money on technical solutions that should be lower on the priority list
Placing great weight on potential issues that may actually present less of a threat than existing risks
Implementing drawn-out technical solutions while ignoring the quick wins of educating employees and streamlining processes

Rethink Cybersecurity - Put People First

While technology is a vital part of cyber defense, we argue that the best way for organizations to improve their risk posture is to put people first. This sentiment is echoed in a number of governmental and industry compliance standards, such as SOC 2 Compliance and the NIST Cybersecurity Framework. As the cybersecurity professionals at SecurityGate.io discovered when incorporating these standards into the platform’s workflow, over 80% of the controls proposed in these frameworks are related to people and processes.

Consider that for a moment: the overwhelming majority of cybersecurity risks for organizations are related to non-technical components of the business, yet companies spend an inordinate amount of money and time implementing technological solutions. This just doesn’t make sense.

This is why we are advocating a people-first approach to cybersecurity. Having a cybersecurity-literate workforce is critical to protecting your organization from ever-evolving and ongoing cyber threats. The bad actors responsible for these threats are not going anywhere. In fact, the threats only continue to grow, whether from state-sponsored cyber warfare, organized crime or garden variety hackers looking to score a few Bitcoin by coopting social media accounts.

Evaluate Your Complete Risk Exposure with SecurityGate.io

SecurityGate.io takes a holistic view of the risks facing your organization across people, processes and technology. Our assessment platform moves at the speed of your threats: as opposed to taking months, a SecurityGate.io assessment can be completed in hours. Even better, the findings are delivered instantaneously in an easy-to-consume dashboard. You will immediately locate the security gaps in your program and be able to begin the remediation process to reduce your exposure.

Ready to Get Started?

Become a leader in digital transformation. See how SecurityGate.io can improve your ICS cybersecurity and risk management efforts.