Dec. 14, 2022Human Factor
Strengthening enterprise cybersecurity through people
Sylvan Ravinet
Aware of the chaotic scope of cyber attacks and the weakness of their cybersecurity, managers no longer hesitate to make substantial financial efforts and recruit excellent experts to protect themselves against them. But in this quest for resilience, they tend to neglect the crucial role of the first actors in the field of cybersecurity: the employees.
Cyber attacks: the undeniable weight of human failures
With the widespread use of cutting-edge technologies (AI, 5G, robotics, etc.) and the digitalization of all industries, the issue of cybersecurity is attracting a great deal of attention from public and private sector executives. Within the CAC40, investments allocated in this area can reach hundreds of millions of euros, particularly in the financial sector, which is extremely exposed to cyber threats. Is this good news? Yes, but only half the story! According to Gartner, only 1% of companies' cybersecurity budgets are devoted to human resources. However, insurers are now formal: 70 to 90% of cyber attacks reported to them are due to human failures... Most of the budgets are now devoted to technological investments or control processes. Obviously essential, protection and detection tools are not able to anticipate all threats or all behaviors. All too often, they are of no use to the employees of a company, the people on the ground whose daily decisions have a direct and undeniable impact on cybersecurity.
The urgent need to instill a "cybersecurity culture"
The cyber claims report recently published by insurer Hiscox estimates that in 2019, 67% of companies were victims of cyber-attacks and only 10% were able to deal with them. As in the case of the Bangladesh bank attack or the Antwerp port attack, the hackers combine a very sophisticated cyber know-how with a thorough knowledge of the targeted businesses and processes. They are skillfully pragmatic and do not care about the organizational or political choices of their victims. To counter them, cybersecurity needs to be considered from all angles, with the indispensable intersection of the visions of technical, risk, sectoral, business and functional experts. In short, navigating the torrents of cyber threats with resilience is such a complex and daunting affair, that it requires the involvement of all stakeholders in this fight. Since January 2018, the World Economic Forum has been calling on leaders to directly address the topic of building a culture of cybersecurity at all levels of an organization. An urgency highlighted by many institutions such as the European Court of Auditors (ECA) and the European Cybersecurity Agency.
Transform employees into committed cybersecurity actors
The new strategies of companies that have suffered a major attack, such as Equifax, an American financial rating company, prove it: cybersecurity must be readable and accessible to everyone. Raising employee awareness through a few e-learning sessions and phishing tests is neither engaging nor sufficient, and does not allow us to measure cybersecurity performance within the business. Cybersecurity must be perceived as a strong societal issue that everyone must grasp, just as eco-responsibility is now anchored in the daily practices of employees. We need to encourage them, train them, and give them the IT and organizational means to adopt the right behaviors, to react quickly in case of an alarm, and to know how to sound the alarm in case of a possible incident. With the help of fun tools, they should be able to better understand cyber matters, to measure their progress and to progressively invest themselves in the cyber world. The worst enemies of cybersecurity are not common criminals or hackers from rogue states, but ignorance and complacency. By taking the path of empowerment, it is likely that within 10 years, cyber security will be a common and democratized skill within companies.