Turnkey Consulting | Key View

Four overlooked areas of human risk management

Written by Andrew Morris | 14 November 2023

In our previous blog, we explored the idea of human risk within a business, why it’s a common cause of cybersecurity issues, and why it should be considered a top priority.

We’ve found that many businesses still focus predominantly - or even exclusively - on the technological side of things when addressing security. Often, the likes of firewalls and endpoint protection are still relied upon to keep data, systems, and applications safe. 

However, no solution can be 100% effective, especially at a time when the capabilities of cybercriminals are advancing so quickly. When these solutions fail, it’s the humans within a business that are the next line of defence - and if they don’t have the right training or awareness to prevent a breach from being successful, then problems can mount up fast.

This is where human risk management - and an approach that goes beyond standard-issue security training - comes into play.

What is Human Risk Management?

Human Risk Management (HRM) refers to the identification and assessment of any risks associated with human-technology interactions, as well as the actions taken to mitigate those risks. 

It works in much the same way as risk management would work in other areas of a business, particularly human resources. In the case of HR, risk management focuses on areas such as recruitment, onboarding, offboarding and compliance, whereas in the case of IT and technology, it looks at how a business can be affected by the actions users take with any form of business-related technology.

HRM is especially relevant now that businesses are gradually realising that humans cause so many of their security and risk issues. As we discussed in the first blog, seven out of eight breaches are caused by humans, either through mistakes, actions, or inaction. HRM gives businesses an opportunity to address this problem by bringing employees into the security conversation, instead of just relying on software and security solutions to keep everything safe.

 

The commonly overlooked keys to HRM

What has become abundantly clear through HRM is that the traditional approach to security awareness training - an email here and a reminder there - is no longer good enough (although it arguably wasn’t good enough before, either!). A much more comprehensive, consistent, and engaging approach is required to address risks and instil a culture of security best practice across the workforce. Basic security awareness is a part of that, but there is much more to be done, including covering these often-overlooked areas:

Going beyond box-ticking: security can no longer be considered a tick-box exercise with a light-touch approach to training, testing, and reviewing. Instead, employees need to be fully engaged with the concept of human risk, and that starts with a detailed individual assessment of their normal usage of technology, and identifying any risks that their routine behaviours may pose.

Regular training: an occasional workshop isn’t an effective way to get employees to absorb information about cybersecurity and get new habits to stick. Additionally, the advice given could quickly become out of date as new threats continue to emerge. Instead of annual or quarterly security training, the better approach is ‘little and often’: for example, short courses of a few minutes delivered every fortnight or month, that build constant awareness without compromising day-to-day operations or productivity.

Tailored advice: some employees are stronger than others in different areas of security practice. For example, some are very disciplined with password strength, but don’t take sufficient care with links in emails - or vice versa. This is why tailoring training to the weaknesses of the individual is key, rather than a broad-brush approach that tells people to do things they’re already doing. Assessing where knowledge gaps lie, in the context of their job role, allows the training to be fine-tuned.

Measuring impact: it’s vital to quantify the success of any training given, so that an understanding can be built of just how effective it is. The starting point is to benchmark human risk maturity at the start of an HRM programme, then measure results such as training success rates and other security metrics to see how the risk profile evolves and (hopefully) improves.

Why now is the time to come together

There really is no time to lose in embracing HRM: according to Verizon, 95% of ransomware incidents now cause losses of US$1 million or more. Furthermore, despite the fact that human error is so prevalent, only 15% of users are changing behaviour based on security awareness training, according to the Information Security Forum.

The sooner you adopt HRM, the sooner you can better protect against all the threats that exist to your organisation. It can also help you move away from a blame culture where users shy away from security-related issues because they’re worried about being punished. HRM doesn’t seek to shame your workforce, instead it aims to empower them to speak up and take ownership of your organisation’s security. Ultimately, security needs a new approach in the modern business world, and HRM ensures that users are taken along for the ride.

Our upcoming live webinar on December 6th will explore the keys to HRM, identifying human risks, and building a secure culture throughout your organisation. Register today to secure your spot.