Your choice regarding cookies on this site
Click on Accept to agree or Preferences to view and choose your cookie settings.
One of the biggest threats to cybersecurity in any organization comes from its employees, even if they aren’t behaving maliciously. Human factors consultant Amanda Widdowson provides a checklist of ways people can pose a risk — however inadvertently.
“In terms of cybersecurity, what is harder to control is the human element. You can control the technical aspect a bit more. Machines are a bit more predictable: you know what they are going to do. People — less so.”
It was this realization that drew human factors consultant Amanda Widdowson into the world of cybersecurity. After two decades working in fields as diverse as defense, rail, motor racing and offshore, she became fascinated by the psychology of cybersecurity.
That led to the development of an approach based on her previous experience, she explains. “For part of my career I was involved in rail incident investigations for London Underground. I’ve essentially applied a knowledge of human error, how people’s actions contribute to incidents — and how you can mitigate that — to cybersecurity,” she says.
Widdowson’s work has attracted acclaim, winning her several awards, including one from the UK’s Ministry of Defence. She is now Human Factors Capability Lead for Thales UK and her approach is sure to reach a wider audience still when she assumes the role of president of the Chartered Institute of Ergonomics and Human Factors in April 2020.
From that perspective, Widdowson defines a checklist of nine elements of human behavior that all tech leaders need to keep in mind. Crucially, these all relate to unintended harm caused by employees rather than deliberately malevolent acts, but are no less important.
Consult staff on security procedures
Navigating a path that maximizes security while minimizing interference with employees’ roles can be difficult but Widdowson believes that it is essential for robust defenses against insider threat.
“This is about designing procedures around people’s jobs. If your cybersecurity policy is too strict, then people will find workarounds,” she says. “Usually this is not malicious, they’re just trying to find the easiest or most efficient way to do their job.”
She advises: “Consult employees when designing procedures and understand how the security policies will impact their work. You need to balance the need to be secure with people being able to do their jobs.”
Set clear boundaries for information sharing
Security chiefs face challenging decisions when defining the scope of internal information that people can share in the course of their work — and what crosses boundaries of company confidentiality. Widdowson has seen that becoming increasingly important with the rise of social media and the arrival of data protection laws such as GDPR. “In my experience, what you can see on internet chat groups is information that shouldn’t necessarily be in the public domain,” she says. “That’s definitely a vulnerability.”
However, moves to address this issue should not thwart the legitimate sharing of information. Widdowson continues: “Again, if procedures for sharing information with third parties are too strict then people might be tempted to use their personal email or other means of sharing that information, leaving it vulnerable to attackers if it gets away from the company’s control.”Create a secure culture
How do managers demonstrate that cybersecurity is important right across the organization? Or does their behavior belie security policies? When it comes to shared perceptions about cybersecurity, says Widdowson, actions speak louder than words.
“Managers need to walk the talk and not just pay lip service to cybersecurity. They need to reward good cybersecurity behavior,” she says. “If productivity and performance are all that’s talked about, you’re sending the message that security isn’t as important.”
Be cognizant of physical environments
While many cybersecurity measures appropriately focus on technology as both a source and a solution to cyber threats, the physical element should never be ignored when considering human factor risks. Widdowson says the threat is amplified by common politeness, a lack of security mindset and a reticence to challenge non-employees about their presence.
“People hold open doors and allow outsiders to tailgate them into offices,” she observes. “If staff are used to seeing people they don’t know wandering around their work environment, they’re less likely to challenge them but it might be someone who has gained unauthorised access. So you need a good visitor management policy.”
Ensure workloads don’t undermine security
Unreasonable workloads are not just bad practice; they are a risk factor too, Widdowson says. “Human factors experts know that people are more likely to make errors when they are overloaded,” explains Widdowson, and filling people’s workday with email traffic can play a significant part of this. “If you are dealing with emails in a hurry and not attending to them properly,” she adds, “then it’s harder to spot that phishing email.”
Move beyond passwords
“I’d love to see passwords become a thing of the past,” says Widdowson. A sentiment that many of us would agree with from a convenience perspective, but there’s also a security argument for switching to different methods of identity verification.
“Passwords are such a vulnerability,” she says. “Business leaders need to invest in technologies such as facial, palm-vein and fingerprint recognition and get rid of our reliance on passwords.”
Make employees aware of the scale of the threat
Employees need to be aware of the actual threats their organization has encountered, whether the attack was successful or not. Although it may seem counter-intuitive to highlight the business impact of security breaches, Widdowson believes that it’s important for staff to know about both the scale and severity of actual and potential incidents.
“Training about cybersecurity needs to use real examples,” she says. “People have to believe that it’s not just a thing that happen to other people.”
Moreover, training about cybersecurity cannot be treated as a one-off tick box exercise. Ensuring employees’ knowledge remains current is part of reducing risk: “Organizations need to understand how many people have been trained, to what level of understanding and where refresher training is required to keep them up to date with incidents, scams and so on,” she says.
Match security to personality types
Many organizations apply security policies consistently across the company but perhaps they should consider a nuanced approach to insider risk. That might be more demanding, particularly in large corporations, but the benefit is often a reduction of risk.
“There are certain personality types that are potentially more vulnerable in terms of cybersecurity,” says Widdowson, but it is possible to identify these groups using existing data. “Many organizations use personality testing in recruitment,” she explains, “and the same tests could also be used to look at those most likely to be vulnerable to cyber threats.
“For example, people who display a high degree of social compliance would likely be the ones willing to share their passwords or hold open office doors for strangers. They would also be the first ones on social media sharing some exciting but internal company news.
“You can also measure sense of duty. People with a high sense of duty are likely to be good at complying with cybersecurity procedures. So there are certain aspects of personality that you can measure.”
Ensure human factors are part of incident management analysis
When organizations analyze security threats or breaches, they often do so from a technology perspective. But a human factors approach should also be part of the toolbox, says Widdowson.
“All the cybersecurity tools will tell you that you need to do incident management, looking back at past incidents and analyzing them. In my experience, it’s quite rare to have a human factors expert involved in those investigation teams. However, this does add a valuable perspective.”
And even if such an expert is not available, individuals should always ensure they include a human factors checklist within their analytical framework, says Widdowson.
Click on Accept to agree or Preferences to view and choose your cookie settings.