If you want to fix cyber, stop trying to fix people

It’s a common refrain in cybersecurity: it’s all down to human error. It’s the fault of people who are not technically aware. It’s so easy to blame the boomers and Gen Xers for having the audacity to be brought up before technology became the standard lens we see the world through.

We’ve all seen the reports. “IBM says that human error is the main cause of 95% of security breaches,” or there’s the HBR’s slightly less hyperbolic headline, claiming that “over 80% of incidents” can be traced back to human error. And then there’s the annual “most common passwords” clickbait lists.

The problem is that the minute that you cite these kinds of statistics, the fingers come out and start pointing to the assumed ‘tech luddites’ within the organisation. People like my mother. And yours. And then we act like ‘better education’ is a panacea that is going to solve the problem, and if there’s another breach it’s because the luddites just haven’t been trained hard enough.

While cybersecurity training is as important to the modern business as fire drills and first aid, the problem with this mindset is that it shifts the blame in the wrong direction by dropping responsibility squarely on the shoulders of the individual. Much like how we can’t actually solve the problem of plastic by asking people to learn how to recycle, no amount of training is going to fully eliminate the human error risk.

It’s also a problem because perception isn’t necessarily reality. Research shows that the most digitally savvy group of all — the Gen Zs, who were essentially born with a smartphone in their hands — are also a much bigger security risk than boomers, thanks to an apparently generationally blasé attitude towards security best practices.

Here is a fun fact to make you feel old: people born in the year the first iPhone was released will be graduating high school next year, so we’re about to have an influx of people into the workforce who have quite literally never known what a world without smartphones is like.

Ultimately, what this blame game does is cause extreme risk aversion. When executives and the board assume that the security risk sits with the individual, and there’s 100, let alone 1000+ individuals, then the only response that they can take to the risk of human error is to remove the opportunity for the human to make the error. And that often means not doing anything at all. In other words, the fear of human error, and the uncertainty that it will ever be possible to eliminate human error from an organisation, can totally stifle the ability to do anything with the technology.

This negativity is uncompetitive to the point of unsustainability in a business environment where innovation is critical. So perhaps there is a better way to look at this and direct the responsibility for cybersecurity somewhere other than our parents.

Human error is not incompetence

The first piece of disinformation to correct regarding human error is that it often doesn’t come from a place of incompetence. No matter how skilled, trained and tech savvy someone can be, they can still make a mistake.

For a good example of this, there was a case where we worked with a business that was divesting its manufacturing arm to a third-party buyer. Their accounts person’s PC was compromised, so emails with bogus accounts and requests to pay into different bank accounts were being sent, and as is usual with these incidents the attackers were intercepting any emails that were questioning the changes.

This could have lost the company millions of dollars. Thankfully, it ‘only’ cost them tens of thousands. A successful remediation and rapid review of the incident gave the buyer comfort and stopped the ongoing attack from any further financial or reputational impact. This would have been chalked up as human error in the statistics, but certainly not the product of incompetence.

And was it the accounts person’s responsibility in the first place? No. When, from their perspective, work was continuing on as normal, then they’re not going to notice what isn’t noticeable. Was there a way to prevent the attack from being successful? Absolutely, and at multiple points. Better verification either at the technology level or better fraud systems at the bank itself could have flagged the issue before the money was lost.

Embracing technology to eliminate human error

To an extent it might seem counterintuitive to use even more technology when the concern is cybersecurity, but consider the passwords example at the top of the article: we’ve been doing ‘most common password’ lists for long enough to know that ‘123456’ and ‘password’ are going to be the winners into perpetuity. This is despite all the education that people are given about the importance of secure passwords, and indeed technology solutions that demand that people regularly change passwords.

Why does this happen? Because people need to remember dozens and dozens of passwords now, and it’s just not convenient to take passwords seriously. The cognitive load of remembering multiple complex passwords is unrealistic and leads to risky behaviours, and then — BAM! — human error rears its ugly head.

This is why the current trend towards passkeys — a form of passwordless authentication being explored by tech giants like Apple, Google and Microsoft — is so exciting. Passkeys represent a major shift away from knowledge-based security (something you know) to possession-based security (something you have), such as a device or a biometric identifier. Not only is it far more secure (short of some truly Hollywood antics, it’s very difficult to get access to your thumbprint or iris to act as a password), but — and this is the important thing here — it shifts the responsibility for any error that may be made from the individual, with their relatively modest capabilities, to the organisation and their vast resources.

If the passkey fails and a hacker gets access, that is because Apple, Google or Microsoft made the mistake. It means that you’ll need to trust the company deeply, but coming at the right mix of partners and technology providers is where the consultants come in. If this is then further backed by the other companies in the chain having the right security posture themselves — for example, a bank having an advanced, AI-powered, real-time fraud detection system in action, then the risk of error at any stage is reduced even further.

Passkeys are just one area where we can develop technology solutions to shift responsibility for security away from the individual and absorb it within organisations that are better capable of managing it at the kind of scale that cybersecurity requires now.

The big upshot to doing this is simple: people and organisations can then have confidence that they’re not about to be hacked, frauded, scammed or phished. Instead of pushing people to be terrified of the technology they’re using, they can instead embrace it.

Imagine instead a world where security is stronger and people feel empowered to truly use technology. It’s a win-win that will unlock greater innovation right across our society. So we need to stop trying to fix people and stop trying to bridge unbridgeable digital generational divides: instead let’s start understanding and supporting them with the right technology, intelligently implemented.

*Neal Costello is National Account Manager for Excite Cyber and an experienced ICT professional with over 30 years’ sales, technical and project management experience. He has worked in a range of areas across critical government services, information security, enterprise sales and technical support. Previously, Neal has worked as a project coordinator, systems administrator and enterprise sales manager, and enjoys beekeeping, beer, and motorbikes, not necessarily at the same time.

Top image credit: iStock.com/towfiqu ahamed