Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
7 November 2023

Why Human Risk Needs to be a Top Priority

Why one of your biggest security risks is human

Did you know that as many as 88% of data breaches are the result of human error? You may be investing in the most robust and up-to-date security technologies around (as you should), but these are often rendered ineffective by poor awareness or security understanding by your workforce.

The scale of the risk that workforces pose from a cybersecurity perspective is often overlooked. Many organisations find themselves in one of two situations: they don’t address the human side of security adequately, or they pretty much don’t do it at all. In this blog, we’ll take a look at why the traditional approach isn’t working, and how the concept of ‘human risk’ should be applied to create a secure culture.


What’s wrong with the traditional approach?

Many traditional forms of cyber-security training don’t really cut the mustard, and on closer inspection, it’s easy to see why. Far too often, it’s still treated as a tick-box exercise, something that employees do once a year strictly for compliance purposes. Only after something goes wrong is greater focus given to this crucial area, and a reaction (or punishment) considered necessary.

Additionally, audits often concentrate solely on basic training and phishing awareness, and won’t cover other human-related vulnerabilities like forwarding sensitive work emails to personal addresses. And many businesses don’t have the expertise in place to know that the solutions they have aren’t sufficient to cover every foreseeable risk.

Thankfully, times are finally changing. Security professionals have realised that, as difficult as it may be, a more comprehensive approach is needed - not only to security technology, but also around a more proactive, engaging mindset for human security practices.


Introducing secure culture 

That new mindset is represented by the concept of human risk and creating a secure culture. Instead of treating security best practice as a function, this concept involves embedding that best practice within the psychology of a workforce so that it becomes second nature.

To achieve this, it’s important to understand how human risks materialise, what can be done to prevent them, and how this fits into the overall cybersecurity control framework. Then you can empower individuals with the knowledge and processes to manage the risk themselves.

Certainly, a security training platform is a good place to start in building the knowledge base among the workforce. However, properly addressing human risk requires a deeper, layered approach, and should also include practices like looking at security incidents from all angles to understand the frequent root causes behind them. The findings from these investigations can then be risk-assessed, and improvements recommended based upon them.


Why creating a secure culture is the way forward

When employees understand the security risks they’re vulnerable to, understand the consequences of them, and know what actions to take to avoid those risks, it becomes far easier to embed a secure culture throughout an organisation. That culture can be built on three pillars:

  • Effectiveness: increased levels of employee compliance, embedding compliance into business practices, and therefore lowering costs of managing human risk
  • Engagement: better quality of employee understanding through enhanced perceptions of control functions, supported by smart frameworks that enable business
  • Sustainability: flexible frameworks that meet business specifics allow the right balance of security and productivity to be struck, even as environments change

Ultimately, the above represents a significant departure from the security approaches of old, and so it’s natural that such a change of mindset can be difficult for businesses to deal with. However, the importance of addressing these risks and avoiding the costly consequences of a breach makes it a necessary step.

It’s the businesses that are forward-thinking in looking at security through the prism of human risk management that will be best placed to stay secure in the months and years ahead. They will also be signalling to their employees, customers and other stakeholders that they take the human side of security seriously, which can help strengthen their brand and reputation.

So while an employee clicking on a seemingly harmless link in an email may sound relatively trivial, it represents one of the biggest challenges in business today - one that the concept of ‘human risk’ can help solve.

Find out more about creating a secure culture in our on-demand webinar: “Mitigating Human Risk: How to build a secure culture”. Watch on-demand to explore how to identify human risk, how risks can be mitigated with existing tools, what a controlled human risk culture looks like, and much more.