Cybersecurity depends on simple, accessible processes

Human error is commonly attributed as the cause of cyber incidents, but in our experience most security lapses happen when people are failed by bad processes. By taking steps to understand human behaviour better, organisations can implement better security processes and stop employees looking for undesirable workarounds.

What the data says

Data published by the ICO for the quarter up to 30 June 2021 shows the scale of data security incidents reported to the ICO in the UK and the nature of those incidents.

Over the period there were more than 2,500 data breaches reported to the ICO. More than half of those could, at a glance, be linked to some form of human error.

More than 600 of the cases concerned data being shared with the wrong recipients via email, fax or post, and a further 62 cases involved individuals’ email addresses being shared inadvertently by a person’s failure to use the ‘BCC’ function in their email system. More than 150 other cases stemmed from either a failure to redact personal data, the verbal disclosure of personal data or failure dispose hardware or paperwork containing data. A further 246 incidents arose from the loss or theft of devices, paperwork or data, while the ICO said 284 data breaches had resulted from phishing attacks during the quarter.

Human error may have contributed to the many hundreds of other data breaches the ICO has published details about, such as those linked to malware or ransomware attacks or individuals gaining unauthorised access to data.

Why people are not the weakest link

Though the data published by the ICO appears, on the face of it, to support the view that people are the ‘weakest link’ in the information security chain, this is a common misplaced trope.

Where people fail, it is more often than not they have not been given the right training and support to equip them to respond – people cannot be expected to grasp the entire threat landscape and proportionate behavioural response from an archaic 60-minute, annual, dull training experience.

People’s perception of risk and security has a big influence on the way they behave. For example, if someone has already been a victim of hacking or identity theft, they are far motivated to follow good practice simply to avoid the situation from happening again.

Also, because almost everything about cybersecurity happens online, it is kept hidden, which means there is a lack of ‘social proof’. This is a concept coined by renowned psychologist Robert Cialdini as one of six principles of influence that he examined. Simply put, it means that people will model the behaviours of others when they are uncertain about a situation. However, in the context of a cyber attack, most people do not have any point of reference. This is where simple and accessible security policies and processes show their value.

How policies and processes can enable sound security practices

Although the policies and processes in place need to be robust, they should not slow people’s productivity by making them follow draconian controls or cumbersome procedures. If you do, it can mean that they are tempted to bypass the security controls, which will leave you open to further threats.

As the UK’s National Cyber Security Centre (NCSC) puts it, “if a product has to be used in a particular way in order to be secure - but people cannot easily use it that way – the product is not secure in any meaningful sense”.

The NCSC’s blog offers tips to employers on what they can do to make security processes more usable, from streamline security policies to refining workflows behind everyday tasks.

In relation to policies, if these are too long then people can’t find the advice they require or understand the language that’s been used.

In addition, if the processes put in place by the security team are too cumbersome, people will seek alternative routes to get the job done. The workflow of a process is not always thought about, which means although it might make a system secure, the user experience is not frictionless which means people find it difficult or confusing to use. Organisations must learn from their people by asking for feedback on their policies and processes to strive for workable security. 

The role of security professionals is to support and enable the business by managing risks while ensuring essential activities can continue. We must ensure that there is a balance between security and useability when creating our processes. For example, there is no point asking people to remember excessively long passwords as none of us have the cognitive ability to do this, and people will simply write them down, which will present an inherent security risk in its own right.

Recommended actions

Better processes can help people and in turn deliver better information security for the organisation.

Look for user-friendly technology that people find accessible and easy to use to help support them. For example, instead of asking everyone to remember multiple passwords, which means they are likely to use the same one, offer a recommended password manager that will provide the safe vault they need.

Socialise the policies and processes that you have in place, to help your people build ‘muscle memory’. This will help ensure that if your people are faced with a cyber attack they know what to do – there is nothing worse than someone having to pull out a long document to read what to do in the event of a potentially troubling breach. We have spent years socialising our phishing button so people know where to report a suspicious email.

Test your policies and processes to ensure they are fit for purpose. We pilot all of ours with people like our network of information security agents across the world and other key stakeholders where appropriate to ensure we can iron out any potential issues before they are implemented more widely. This phased approach usually results in increased adoption.

The Human Cyber Index, developed by Pinsent Masons, helps businesses to assess their people's behaviour, their engagement and productivity and the relationship they have with their security team.