Why Human Risk Management is Key to Data Protection

Written by John Scott, Lead Cyber Security Researcher for CultureAI

Personal data is constantly being processed and transferred in numerous ways – whether in healthcare applications, store loyalty programmes, during purchases or while browsing online. With such a vast amount of personal data in circulation, the likelihood of errors occurring is heightened.

It feels like almost every day we hear a story of another company being breached – with data being stolen by cybercriminals looking to steal an individual’s identity, access accounts or commit fraud. Things are also getting easier for cybercriminals, thanks to technology advancements like generative AI assisting with more convincing phishing emails and deepfake content.

So, what should companies do to protect their data? If one works for or owns an organisation that manages other people’s data, what actions should be taken to provide help?

Understand that human error is inevitable

Research such as the annual Verizon Data Breach Investigations Report (DBIR) shows that the human element is a significant factor in 74% or more of breaches. Bluntly, people make mistakes, and cybercriminals know what to do to exploit those mistakes. That isn’t to say that the people in organisations are the weakest link. In fact, they can be one of the strongest defences if given the right support, training, and tools to help protect the data.

When it comes to managing human risks, individuals likely possess all the data necessary to get started. But an effective strategy for approaching human risk management needs to be put in place.  A three-step approach of monitor, reduce, fix provides a useful framework that starts with analysing the data on the risks that employees are causing, coaching them to reduce the likelihood or severity of incidents, and fixing the issues raised automatically or nudging them to fix them directly.

Organisations that do well at protecting personal data tend to have a positive attitude towards security – what we’d call a strong security culture. One of the key indicators of a strong security culture is when people in organisations are not afraid to come forward when they have made a mistake. If colleagues feel safe, knowing that they won’t get blamed for an honest mistake and that their organisation is going to work with them to rectify the problem, then they will inform what needs to be fixed.

But what if they don’t feel safe? As Sidney Dekker said in ‘The Field Guide to Understanding Human Error’ – when there is a punitive culture, where people feel they will be punished for making mistakes, they don’t stop having errors, but the company might well stop finding out about them until it’s too late to fix them.

How can human risk management help to create a strong security culture?

1. Encourage people to slow down

One of the times when mistakes are most likely to occur is when people are in a hurry. It doesn’t matter how much training they’ve had, if they are rushing to meet a deadline, it’s easy to cut corners or not be fully focused on security. So, encourage people to slow down and double-check, even if that delays things a little. It’s better in most cases to do something safely, rather than swiftly.

2. Prompt rather than train

Most people must take mandatory security training each year, but there’s very little evidence that this has any impact on their behaviour. Instead, why not prompt people when they’re doing something particularly risky, using nudges or other interventions to get them to think about what they’re doing?

3. Raise awareness, but don’t scare people

When informing colleagues about a new risk or threat, ensure they are very clear on how they can effectively manage that threat. There’s no point in telling people to avoid a no-click zero-day text message – they might not even know what that is, and even if they do, they can’t avoid having messages sent to them. The important thing is that they know what to do if they see something suspicious.

4. Watch for mistakes, and help colleagues fix them

Tired and stressed people make mistakes – and just telling them not to or shouting at them if they do doesn’t fix anything. An effective human risk management platform will integrate with the current technology stacks and flag any mistakes, such as sharing personal information in public chat channels or reusing passwords across SaaS applications – and automatically nudge the person carrying out that risky behaviour to help them fix it.

5. Reward the positive

Monitor for good behaviours and use recognition and reward to call them out to others. Your company might have an internal reward platform to use, or it might be possible to get the CISO to send a thank you email (copying in the colleague’s manager, of course). People gossip and tell stories – wouldn’t it be great if one of those stories was how nice the security team was? To ensure robust data protection, a comprehensive, multi-layered approach to security should be adopted. Proactively managing human risk in real time promotes secure behaviours, minimising the impact of human errors.

This is best achieved by working with human risk management providers, who understand human behaviour and have developed solutions to coach employees in the moment and automatically fix risks before they escalate into issues. Through this process, employees gain insights into the evolving threat landscape and gain the necessary tools to respond adeptly when needed.