Contrary to popular belief, the main objective of cybersecurity is not to protect an organization’s computers, servers, networks or accounts. In fact, it doesn’t really have anything to do with technology at all.
In this blog post, we explore why cybersecurity is more about people than technology and what organizations can do to bring the all-important human element back into focus.
Why cybersecurity can’t be solved by technology alone
At its core, cybersecurity is simply about protecting an organization – and the people who work there – from technological disruption so that it can continue to provide goods and services, turn a profit and avoid financial losses. In other words, cybercrime targets people and businesses, and technology just happens to be the medium through which cyberattacks occur. Cybersecurity, then, is more about protecting people and less about protecting technology.
However, many organizations still take an overly technocratic approach to cybersecurity, relying on the latest and greatest tech-driven solutions to solve what is ultimately a very human issue. Because, while undoubtedly technology plays a key role in mitigating cyberthreats, good cybersecurity is more than a technical feat – it’s a people feat.
How to bring the human element of cybersecurity back into focus
Organizations that fail to consider the human element of cybersecurity risk losing sight of the bigger picture and may come to be overly dependent on technological solutions, which remain essential – but imperfect – tools for combating cyberthreats.
Below are four tips to make cybersecurity more of a shared responsibility in your organization:
1. Foster a culture of risk management
In any given organization, most people are there to hit their KPIs and meet deadlines. They typically do not view cybersecurity as part of their responsibilities or core job functions. In many cases, staff see cybersecurity as an added obstacle that hinders them from doing their job – and if they can find a way to work more efficiently by circumventing security processes, they will.
Directives don’t motivate people. And technology alone can’t solve the cybersecurity problem. Organizations, therefore, must work on building a culture of risk management that permeates every level of staff, from the most junior employee to the most senior leader. The objective here is for every member of the organization to be emotionally invested in mitigating cyberthreats and view cybersecurity as a shared cause that everyone is responsible for.
This may require a fundamental shift in the way that some organizations approach security.
While cybersecurity may have traditionally been left to the IT department, it may be that organizations need to start leaning more on human resources in order to get buy-in from other business units.
2. Make cybersecurity more comprehensible
The technical jargon and endless acronyms surrounding cybersecurity can be intimidating to the uninitiated. Technical staff have an important role to play in translating the technobabble and ensuring that other members of the team understand the implications of a given security risk and the benefits of a potential solution.
For instance, simply stating that the organization needs to invest more in EDR or SIEM isn’t particularly helpful for non-technical staff. Highlighting the potential impact of a slow threat response and framing it as a business risk – not just a cyber risk – can lead to a more constructive conversation and help business leaders make more informed decisions.
3. Senior management need to understand the risks
Cybersecurity decisions need to come from the top of an organization – not the IT department. That’s not because IT teams can’t be trusted to do a good job, but because cybersecurity decisions now have serious business and operational implications that extend far beyond the technical departments.
There are strategic trade-offs to be made. Because there’s no such thing as absolute security and no organization has the resources to shore up every vulnerability, some level of risk is inevitable and some hard decisions will need to be made. What are the most important business assets? What level of risk is acceptable? How much are we prepared to spend? How will the proposed security processes impact frontline staff?
While IT personnel certainly have a role to play in assisting business leaders, the big-picture strategic decisions need to come from senior management. Cybersecurity is a business management issue, not just a technical concern, and it’s those at the top who should be ultimately responsible for finding the balance between security, profitability and productivity.
4. Lead with empathy
People are flawed. For better or worse, effective cybersecurity depends on people, which means, yes, even the most cyber-ready organization will still have some chinks in its armor.
Organizations need to acknowledge these limitations and be ready to listen and learn from both technical personnel as well as those on the frontline who are using the systems day in and day out. Encourage people across every level of the organization to ask questions and be up-front about mistakes, and use those insights to inform future security decisions.
Technology provides humans with a safety net. Telling users doesn’t stop them from clicking links. No matter how well trained the user, they will slip up at some point and make a mistake. Additionally, some users act maliciously and will intentionally seek to do harm to the organization in which they work. Cybersecurity helps protect businesses against these inherently human weaknesses.
At the same time, all the technology in the world won’t stop cyberattacks if you don’t have buy-in from your users. Technology, of course, plays a critical role in cybersecurity strategy, but it is not a strategy in and of itself. The line between cyber risk and business risk is becoming increasingly blurrier and organizations need to start recognizing that cybersecurity is more about people than it is about tech.
Emsisoft Enterprise Security + EDRRobust and proven endpoint security solution for organizations of all sizes. Start free trial
Here at Emsisoft, we recognize the important role humans play in effective cybersecurity. From the intuitive UI of our software to our phishing protection technology and anti-tampering multi-factor authentication system, Emsisoft solutions are designed from the ground up with the human factor in mind. To see the software in action, download your free trial today.