Every business, whether small or large, needs to address cybersecurity to operate in today’s online world. This has been a stimulus for the cybersecurity industry and explains the market’s expected 10.9% growth from 2021 to 2028.
As the industry has matured, companies within it have needed to find ways to differentiate themselves in a crowded market, becoming laser-focused on gaining an edge over competitors. These firms seeking to distinguish themselves will often turn to complexity as a selling point: offering packages laden with technical terms and industry jargon.
While in larger businesses the cybersecurity posture is determined by a CISO or an IT professional who may understand these terms, in smaller enterprises figuring out the best way to protect a business from cyber threats is left in the hands of the CEO or other members of staff. For those with limited experience of cybersecurity, choosing from the wealth of options can be a truly daunting task, especially as the pressure on creating an effective cybersecurity posture increases as it moves up the priority list for company boards.
However, regardless of the size of the business, the reality is that cybersecurity is not just the domain of security professionals or its executives. Every single employee within a company has a hand in the protection of the business, as they handle company data, manipulate it, and communicate it as part of their jobs.
The complexity of cybersecurity makes security best practices opaque and inaccessible to most employees, and this hasn’t gone unnoticed by cyber criminals. Employees with limited cyber knowledge are a goldmine for bad actors and they are open to a variety of attacks, but phishing remains the most common threat vector, by far.
Cyber criminals are acutely aware of the gateway that employees create for malicious activity. This is evidenced by the fact that long weekends are becoming the preferred time for cyber criminals to attack, as IT staff are unlikely to be monitoring activity, making it more difficult for companies to react quickly.
What can we do about it? The answer lies in daring to look at cybersecurity from a different angle. Companies cannot expect employees to maintain a high level of cyber hygiene when they are systematically being excluded from cyber operations through complex, technical terms. This is what needs to change.
Cutting people out of the loop on security is a mistake – it alienates them and makes them more vulnerable. This epitomizes one of the greatest contradictions of the cybersecurity industry: if you bombard employees with terms like trojan horse, DDoS and pentesting and expect them to understand them intuitively, you set them up for failure.
It is a mistake to see employees as “a company’s biggest threat.” They are the most important asset of the business and need to be protected like any other high value asset. They surely are at risk, but that is because cyber criminals are targeting them, and it is the onus of the business to protect their employees, not the other way around.
To protect employees and, therefore, the valuable data companies hold, organizations need to make sure that everyone – regardless of level or job role – is included and involved in cybersecurity. Empowering individuals to have a level of visibility across the business that allows them to understand unusual behavior, spot it, act on it and report it is crucial.
Instead of security features that alienate the user, we need security tools that augment their abilities and can prompt employees to make the right choices – enabling them to learn from every interaction they have with security solutions. Breakthroughs in the realm of AI have created the capability to help employees live, in real time by applying cybersecurity policies into their workflows.
It is also worth noting that “employee friendly” cyber solutions need to factor human nature into their policies, and that means addressing topics such as privacy and surveillance. Organizations should implement a balanced cybersecurity approach that doesn’t invade employees’ privacy but still allows administrators to have visibility over operations. In addition, policies should be designed to avoid disrupting normal business practices – which can often be one of the main barriers to uptake and will mean people are more likely to buy into the solution.
As organizations continue to become increasingly aware of the critical importance of cybersecurity, their aim must be to find a solution that can be built from the bottom of their business up. Avoiding complexity and seeking an approach that puts a human at the center will be key to strengthening cybersecurity and empowering employees – regardless of their role – to protect assets and, ultimately, be protected.