As artificial intelligence amplifies the sophistication and reach of phishing, vishing, and smishing attacks, understanding and managing human cyber risks has become increasingly vital, according to the SANS Institute.
The report underscores the escalating stakes in human cyber risks, particularly at a time when 20% of organizations worldwide reported security incidents involving remote workers in the past year.
“The digital world is expanding rapidly, and with it, the human element of cybersecurity becomes ever more important as it evolves as a primary target for cyber threats globally,” says Lance Spitzner, SANS Security Awareness Director.
Notably, the study found that mature security programs, marked by robust teams and leadership support, are characterized by having at least three full-time employees in their security awareness teams.
Top human cyber risks
The primary threats include phishing/vishing/smishing attacks; password/authentication risks mitigated by advanced tools; the challenge of fostering a security culture for effective detection/reporting; and the risk of IT admin misconfigurations, especially in complex cloud environments.
As in previous years, security awareness remains predominantly considered a part-time commitment within organizations. A noteworthy 70% of security awareness practitioners disclosed that they dedicate half or less of their working time to it this year. This insight underscores the ongoing challenge of elevating the importance of continuous cybersecurity awareness in the day-to-day operations of organizations.
For the first time, our data reveals that professionals specializing in human risk management earn up to 5% more than their peers in broader security roles. This underlines the increasing demand and value for these skill sets in the industry.
Key actions to increase program success
Talk in terms of risk
Leadership and security teams often perceive security awareness as not part of security, but rather as a compliance effort that has little relevance to managing risk. To help change such perceptions, focus on and speak in terms of human risk management. Human risk is far more likely to align with most organizations’ strategic security priorities, gain leadership buy-in, and resonate with a security team.
Help your security team members understand how you help them, and work with them to identify the top human risks and the key behaviors that manage those risks. Demonstrate how effective communications, training, and engagement is changing those key behaviors and reducing human risk. Partner with SOC, IR and cyber threat intelligence teams not only to learn their work but also to show them how you can help solve their human-risk-related challenges.
Dedicate two to four hours a month to collecting metrics about the impact and value of your Security Awareness Program and communicating that value to leadership. This information can include informal metrics, established key performance indicators, and even success stories to enable leadership to better understand and regularly see the value that your program is providing.
While technical security has been a focal point for organizations, the human side of security has often been overlooked. This imbalance leaves the workforce as an appealing target for cyberattacks. It’s not uncommon to find a 50-member security team with 49 focusing on technology, leaving just one person to manage human risk. This underinvestment in human-focused security contributes to the prominence of human cyber risks.
“The traditional model of yearly compliance-focused training is inadequate in today’s cyber threat landscape, so we’ve included practical, actionable advice throughout the report,” Spitzner said. “From addressing the top human risks, which according to our data, involve email phishing, to tackling the common challenge of securing adequate resources and budget, we aim to equip organizations with the necessary tools to improve their human risk management strategies and help ensure that organizations proactively invest in the personnel, resources, and tools to robustly address the human dimension of cybersecurity risks.”