Engineering the human out of cybersecurity

Human error can play a large role in how a malicious actor gains access into a system. Current cybersecurity frameworks rely on employees being able to thwart cyber risks with basic training, but as cyber threats become more elaborate, it has become increasingly difficult for employees to successfully identify and avoid cyber risks.

Human error is a highly sought out result that cybercriminals depend on. According to Verizon’s 2024 Data Breach Investigations Report, 68% of data breaches in the past year were reportedly caused by human error, meaning that any employee that fell for a social engineering attack failed to keep confidential information secure. That could mean they clicked on a malicious link, gave login credentials over the phone, reused passwords or left their work computer open and unlocked in the middle of a café.

Companies need to begin restructuring and building cybersecurity controls to work with human limitations. A successful cybersecurity program works to reduce the dependency on the user to make the right decision, effectively engineering human error out of the equation. By understanding human nature, organizations can build controls that assume humans will make mistakes and works to mitigate those mistakes.

Applying human psychology

Cybersecurity controls need to change to work for humans. To do so, firms need to apply a basic understanding of human behavior into their controls.

Here are four ways a firm can restructure or build their cybersecurity controls around human behavior:

Expect clicks on malicious links.
Reduce access to data.
Minimize footprint with break glass access.
Eliminate passwords.

Expect clicks on malicious links

Malicious links have become more sophisticated and difficult for users to identify, allowing for more opportunities for sensitive information to be stolen. Cybersecurity training can help educate employees on ways to identify sketchy links, but it still leaves the door open to the chance an employee clicks on a malicious link. Organizations could instead shift towards a protected filter that can verify links employees click on, or block users from being able to click on links. A link safety filter could help reduce the potential chance an employee falls victim to a malicious link.

Reduce access to data

Granting a firm open access to every file increases the opportunity that a malicious actor can penetrate and steal information within a system with any set of credentials. Firms need to reduce employee access to data by first organizing and labeling datasets. After organizing, access can be specifically distributed to the role each employee plays within the firm. Employees should only have access to files related to the work they perform.

Minimize footprint with break glass access

In tandem with reducing access to data, firms should consider minimizing the time that employees can access sensitive files and data. Break glass access, a procedure that provides time-limited, elevated access to a user with lower access credentials, is normally used for emergency cases. In this method, implementing this procedure regularly would allow organizations to take an extra, precautionary step to authenticate those who want to access confidential information, and minimize the amount of time they have access. This would allow for additional security on a day-to-day basis by having employees prove their identity before accessing sensitive files and providing a time limit for how long they can view files — which could be helpful if a malicious actor were still able to gain access to these files.

Eliminate passwords

Compromised passwords are commonly used for a malicious actor to infiltrate an organization. According to IBM’s 2024 X-Force Threat Intelligence Index, there was apparently a 71% increase from 2022 to 2023 in cyberattacks that used stolen or compromised login credentials.

Passwords are naturally difficult to remember, especially as they become more complex. Instead of asking employees to be better at securing complicated passwords, replace passwords with other authentication methods that could be easier for employees to use and more difficult for malicious actors to manipulate. Implementing authentication tools like biometric logins, such as the 1:1 authentication used for iPhones, can help reduce the chance a malicious actor uses stolen login credentials to penetrate a system.

Keeping up with emerging threats

Cyber criminals are likely to target employees and lean on human error to enter systems. New and more sophisticated emerging threat vectors will require additional education and support to avoid human error. Cybersecurity controls must be constantly evaluated to ensure they can withstand new and upcoming threats, especially those that target employees.

Opening channels of dialogue with fellow IT teams and security professionals can help organizations maintain successful cybersecurity controls. Not all controls are built the same, so its important to build community within cybersecurity circles to help combat rising cybersecurity risks.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.