In an era where cybersecurity threats loom large, understanding and managing the human element of security is crucial. This brings us to the notion of Human Risk, a term often interchanged with Insider Risk. However, a deeper dive reveals nuanced differences and a broad spectrum where these terms overlap and interact.
What is Human Risk?
Human Risk Management (HRM) is a user-focused security paradigm aimed at empowering businesses to comprehend, reduce, and monitor employee cyber risks without compromising budget, staff productivity, or IT resources. The approach transcends traditional security awareness training by offering a full-circle solution to transform humans into a robust defence line against evolving cyber threats.
As you delve into this concept, it’s important to clarify what Human Risk doesn’t entail. Unlike the daring individual depicted in the image below, scaling a towering building and facing physical danger, Human Risk in our context doesn’t involve putting oneself in physical harm’s way. Instead, it zeroes in on the cyber risks that emerge from human actions or oversights within an organisational setting.
The Human Element in Cybersecurity
- Human Errors: Be it typos or forgotten passwords, human errors are inevitable. These seemingly minor mistakes, like downloading attachments from unknown senders, can have grave consequences. A study by IBM revealed that human errors contribute to 95% of all security breaches.
- Rule-breaking: Sometimes, employees may knowingly or unknowingly break security rules. For instance, sharing sensitive data with unauthorised individuals or using weak passwords. These actions can escalate the risk of data breaches.
- Manipulation: Employees often become targets for cybercriminals who exploit the human firewall to access the company’s systems and data through phishing scams and other social engineering tactics.
Examples of Human Risk
- Dallas Police Department Database Leak (2021):
- Incident: An employee negligently deleted 8.7 million crucial files collected as evidence by the Dallas Police Department, resulting in significant data loss.
- Consequences: Almost 23 terabytes of data were erased, impacting around 17,500 cases and slowing down some prosecutions.
- Root Cause: The IT worker lacked adequate training to properly handle files, leading to the inadvertent deletion.
- Marriott Data Leak (2020):
- Incident: Hackers exploited a third-party application used by Marriott, gaining access to 5.2 million guest records.
- Consequences: Nearly 339 million guests were presumably affected, with Marriott incurring a hefty fine of £18.4 million for GDPR non-compliance.
- Root Cause: Attackers compromised the credentials of two Marriott employees, highlighting the necessity of robust cybersecurity measures to deter insider threats.
- Theft of Trade Secrets at Elliott Greenleaf (2021):
- Incident: Four lawyers from Elliott Greenleaf law firm maliciously stole and erased organisation files for personal gain.
- Consequences: The firm lost a significant amount of work products and correspondence, affecting its competitive edge in Delaware.
- Root Cause: The malicious actions were meticulously planned over four months, demonstrating the concealed nature of insider threats.
Human Risk and Insider Risk: Two Sides of the Same Coin?
The discourse around Human Risk and Insider Risk, although related, have distinct definitions:
- Insider Risk encapsulates data exposure events like loss, leak, theft, sabotage, or espionage jeopardising the well-being of a company and its stakeholders. Unlike Insider Threat, which zeros in on specific malicious users, Insider Risk primarily focuses on data and intellectual property.
- Insider Threat is a manifestation of Insider Risk when a user acts with malicious intent. Every Insider Threat begins as an Insider Risk, but not all Insider Risks escalate to become Insider Threats.
The Overlapping Spectrum
All insiders pose a risk due to their access to the organisation’s data and systems. However, not all insiders will manifest as threats. The Insider Threat is a subset of Insider Risk, showcasing a spectrum where Human Risk overlaps with Insider Risk.
Tackling Human and Insider Risks
Addressing both Human and Insider Risks necessitates a holistic approach encompassing robust policies, continuous education, and a culture of awareness and accountability.
- Educational Programmes: Implementing ongoing educational programmes to enhance employees’ understanding of security policies, potential threats, and best practices.
- Behavioural Analysis: Employing behavioural analysis tools to monitor and evaluate employee actions in real-time, thereby identifying risky behaviours before they escalate into threats.
- Creating a Culture of Accountability: Fostering a culture where employees are encouraged to report suspicious activities and are held accountable for their actions in adherence to the organisation’s security policies.
- Employing Technology: Leveraging technological solutions like Human Risk Management platforms can automate the process of identifying, managing, and mitigating risks posed by human elements.
In the realm of cybersecurity, acknowledging the human factor’s complexity is the first step towards fortifying organisational defences against both internal and external threats. By understanding the nuanced distinctions and the broad spectrum encompassing Human and Insider Risks, organisations are better positioned to devise effective strategies to safeguard their most prized assets.