By Assistant Professor Dr Timothy Yap

As our lives become increasingly digital, from online banking and social media to remote work and cloud storage, the importance of robust cybersecurity measures cannot be overstated.

Cyber threats pose significant risks to individual privacy, financial stability, and national security.

In recent times, the significance has become apparent, and there is a push for more to be done in the space as cybersecurity threats and attacks have become more prevalent, be it data breaches, phishing, identity thefts, or malware. This has led to substantial investments in tools and software defences and, last but not least, the nurturing of human resources and talent in the space.

Advancements in cybersecurity tools, software defences

Over the past years, there have been substantial advancements in cybersecurity tools and software defences. Innovations such as artificial intelligence (AI) and machine learning have revolutionised the way we respond to cyber threats through sophisticated anomaly and malware detection, as well as threat hunting, to name a few.

Advanced encryption techniques and multi-factor authentication have also strengthened the security of data transmission and access control. These tools have made defence against cyber threats more efficient than ever before, but despite all this, successful attacks are still looming and growing. The human element continues to be the weakest link, and this will continue to happen until it is strengthened.

No matter how sophisticated the technological defences are, they can be easily undermined by human error and unpredictable behaviour. Humans are inherently susceptible to social engineering tactics, such as phishing attacks, which exploit psychological manipulation to deceive individuals into divulging confidential information or performing actions that compromise security.

A report by IBM highlights that phishing remains the lead infection vector, a factor of 41 per cent of all incidents remediated, emphasising the critical role that individuals play in the overall security landscape (IBM, 2023).

Human error

In a security context, human error refers to unintentional actions or omissions by employees and users that result in, facilitate, or permit a security breach to occur. This encompasses a wide range of user behaviours, from downloading malware-infected files to using weak passwords, which makes it challenging to address.

The increasing complexity of work environments, with a growing number of tools and services used, leads employees to take shortcuts by relying on multiple usernames, passwords, and other credentials. Furthermore, the constant threat of cyber criminals employing social engineering tactics further complicates the situation, as employees can inadvertently provide sensitive information or credentials to malicious actors without the need for sophisticated cyber-attacks.

Verizon’s 2018 cybersecurity breach report identified misdelivery as a top-five contributing factor to security incidents (Verizon, 2018). With email users frequently relying on automated assistance like address auto-complete, inadvertently sharing sensitive data with unintended recipients is an ever-present risk that companies must address.

Additionally, according to the National Centre for Cyber Security's 2019 report, the findings indicate that the password ‘123456’ continues to be one of the most used passwords globally, and 45 per cent of individuals reuse the same password across other online services (National Cyber Security Centre, 2019).

The root cause of much human error in cybersecurity is the lack of user awareness and knowledge. Uninformed employees are highly vulnerable to phishing scams and public network breaches that expose their credentials. This deficiency in cybersecurity know-how is not the users’ fault, but rather the responsibility of the organisation to address by ensuring its end-users possess the necessary knowledge and capabilities to protect themselves and the business.

Continuous education and training

Some notable strategies to mitigate human error include regular training sessions to keep employees updated on the latest threat vectors and implementation of phishing simulations to test and improve employee vigilance. It is also noteworthy that company culture plays a role in cultivating security awareness and encouraging a security-first culture where employees feel responsible for their role in protecting organisational assets can lead to significant progress. IBM also noted that regular cybersecurity training and simulations were highly effective in reducing the incidence of phishing attacks.

It emphasises that people can learn significantly through experience, and activities based on this, such as simulated attacks and interactive training, can significantly improve employee response to real threats. At Heriot-Watt University, staff will intermittently receive an email of suspect origin sent by the Security and Compliance Team as part of the internal anti-phishing education campaign. By reporting a phishing email, staff will be greeted with a congratulatory note, as part of the gamification campaign to promote improved learning and retention and behavioural change.

Although technology can assist in cybersecurity defence, irrational and often unpredictable human behaviour necessitates a focus on enhancing human awareness and vigilance.

Continuous education and training, coupled with experiential activities like phishing simulations and interactive workshops, are paramount to bolstering overall cybersecurity efforts.

By fostering a culture of security awareness and equipping individuals with the knowledge and skills to recognise and respond to potential threats, organisations can significantly reduce the risk posed by human error.

-- BERNAMA

Assistant Professor Dr Timothy Yap is with the School of Mathematical & Computer Sciences, Heriot-Watt University Malaysia.