A recent study from IBM concluded 95 percent of successful cyberattacks are the result of human error. Why is it that we’ve been treating better technology as the solution to cybercrime when it’s the people who are the last line of defence for cyberattacks within organizations?

The role of technology

Technology certainly does play a role in protecting companies, patching software, and having security measures in place make cyberattacks more difficult. Because of this, the status quo in the security world has been focused on creating better technology. For decades, it was declared we simply needed to buy better anti-virus and firewalls. But technology is only part of the solution.

The role of people

Facebook CSO Alex Stamos highlights that more harm comes from behaviours, business processes, and assumptions users have about cybersecurity. To a room full of cybersecurity experts at the Black Hat 2017 conference, Alex proposed relationship building and education as a solution to the ever-increasing cybercrime.

“The truth is that the vast majority of harm comes from the simple problems that are difficult to solve, such as the rampant reuse of passwords.”

To create a pan-organizational conversation and awareness of security, all individuals need to understand their role within cybersecurity; there needs to be an ongoing conversation across all departments; and business processes need to take cybersecurity into account — but how?

Best practices for organizations

To take tangible steps to incorporate cybersecurity into an organizational culture, cybersecurity expert and CEO of CyberGRX Fred Kniep recently published a list of best practices in Compliance Week for organizations to implement.

1. Ensure a security representative is attending all board meetings

This requires a company to designate one (or several) individual(s) to own the security program. Secondly, that security must be prioritized at the very top of the organization. If the executives don’t recognize the value in cybersecurity, it’s unlikely that the rest of the organization will.

2. Educate security representatives on how to effectively communicate cyber risk

Effective communication. The security representative(s) will need to be able to translate the technical jargon into concepts that other departments can understand.

3. Provide security representatives with business context

Fred emphasizes that there needs to be a two-way conversation. The security representative needs to understand the pressures and motivations of the different departments.

4. Clearly differentiate between cyber-risk management and compliance

Being compliant is a snapshot in time. Cyber-risk management is like managing any other business risk — it involves taking daily steps to get to a comfortable level of risk.

It’s everybody’s business

Suzie Smibert, CISO at Finning International, summarized this well in a recent interview with Ben DiPetro at The Wall Street Journal:

“Cybersecurity is not just an IT issue, it’s everybody’s business... You can’t just buy tools and hope they work; there are lots of processes and human elements to having a proper risk management and cybersecurity program. It takes training — and boards and executives need to attend and participate.”