Skip to content
English
Visit our website
  • There are no suggestions because the search field is empty.

Human Cyber Security: A Guide

The human element of cyber security is often deprioritized. There is a misconception that human weakness can be overcome by purchasing the right product or installing a certain software, which doesn't reflect the reality of managing cyber risk.

What is human cyber security?
Human cybersecurity refers to all aspects of your cyber security posture that are not based in technology. This is the training of your users, and your overall security culture as an organization. Do you provide adequate training to all users, so they are equipped appropriately to handle the threats their work exposes them to? Do you have a culture where people know how to communicate about potential threats? Do users fully understand how they contribute to keeping the organization and their colleagues safe?

Why does human cyber security matter?
Firstly, because threat actors would rather attack people over technology. Humans are easier to manipulate than code, and are likely to provide a cyber-criminal with a greater reward than attacking technology. Secondly, because you can build the most sophisticated cyber-defense system, but human error can still undermine all that work. Insufficient understanding and care from humans is the cause of a critical number of cyber security incidents.

Human cyber security and assessment.
A variety of assessment types will expect you to be putting substantial effort into training users, and building a cyber-resilient culture that mitigates the chances of users making potentially dangerous mistakes. Failing to address the risk of human based attacks - such as social engineering, phishing, and fraud - is often assessed as a high risk behavior that will be noted as part of an assessment for a variety of purposes such as compliance certification, funding eligibility, or insurance.

Training
All users should receive regular training that is relevant to their role. This should cover core threats such as social engineering, phishing, secure password creation and management, and other threats to your users. Training to needs to happen at least twice a year, and you should record the results to detect patterns, or areas where your users do not feel so confident. This will help you build training that addresses your organization’s unique threat profile.

Role specific training
Users in certain roles will have different exposure to threats. For example, members of the finance team are likely to be highly targeted to steal valuable payroll, bank, or other financial information. Users who have elevated privileges and access to sensitive data are also a target, as compromising their accounts will get attackers more sensitive information that is better for extortion. These users need additional and more tailored training than ordinary users.

Remedial training.
Being competent in managing cyber security is considered a core competence of the modern workplace – it is now no different to general building security or fire safety awareness in its significance for organizational security. Users who do not pass regular training tests should be flagged as potential risks. Persistently failing the training exercises means that a user is misunderstanding a core safety protocol and needs remedial training and feedback to understand the issue at hand.

Well-documented processes.
Ensure that all your security plans, and your incident response protocols are well documented and available to the user who may need to enact it. Just because someone isn’t in the IT team, doesn’t mean they won’t be the one to discover a threat. When they do, they need to know what the next steps are. Make sure all users know how to find out what to do in an emergency, and how they can contact the relevant security team members.

Checklist
When reviewing elements of human cyber security, consider the following:

  1. Ensure human cyber security has equal importance to technical solutions in your cyber security plan
  2. Provide regular, relevant training to all users in core cyber security practices
  3. Provide additional role specific training to users who face more threats due to their role
  4. Make sure there is a remedial training and feedback process to catch any user who is persistently failing regular cyber security training
  5. Ensure your security processes and incident response protocols are documented and available to users who may need them