Interview: Joseph Carson Discusses How Organizations Can Mitigate Human Error

Joseph Carson, chief security scientist at ThycoticCentrify
Joseph Carson, chief security scientist at ThycoticCentrify

Employee error and risky behaviors have always been a significant cybersecurity headache for organizations, and the shift to hybrid working has only exacerbated this issue. Numerous studies have highlighted the scale of bad security habits and behaviors during the crisis, such as the growing use of insecure personal devices to access corporate systems and poor password habits. This can largely be explained by reduced access to IT teams and the additional stresses and distractions many employees face while operating from home.

In this scenario, it is easy to point the blame at individual staff members, but it is undoubtedly more productive to delve into the causes of these errors. Security teams can then take these findings and adapt their tools, policies and training in kind. To discuss these topics in detail, Infosecurity recently spoke to Joseph Carson, chief security scientist at ThycoticCentrify.

Recent research from ThycoticCentrify found that 79% of employees have engaged in at least one risky behavior in the past year, such as bad password hygiene. How dangerous are such behaviors to an organization’s security?

The risks taken by employees are extremely dangerous to an organization’s security. For example, sending sensitive information to personal devices or storing passwords in browsers with no additional security controls can lead to catastrophic security incidents. Currently, more than a third of employees continue to save passwords within their internet browsers on most or all their devices. If an attacker were to gain access to one of those devices, they would have the key to unlock the treasures hidden amongst the rest.  

Workers often settle for the default settings in their browser security, despite this not being an effective level of protection. For example, a user simply has to click the ‘reveal password’ button in the browser, and the secret is quickly revealed without any additional security controls. It might be easy for the employee, but it’s even easier for an attacker. Security by design is an important concept, but it is useless until we make it security by default.

What do you believe is driving such behaviors?

Above all else, it’s the balance between productivity and security. So when employees are faced with tough choices between getting the job done or delays, they will take the easy path – sacrificing security to get the job done. 

Another reason employees may adopt risky behaviors is the false sense of security that the IT and security teams have them covered 24/7. However, our survey did reveal that 86% of respondents agreed that they have a personal responsibility to ensure they do not expose their organization to cyber-threats. This overarching sense of responsibility suggests that any risky behavior is not conducted intentionally, more likely due to a lack of training and awareness. As employees are a top target for cyber-criminals, a strong communication plan must be part of your cybersecurity strategy.

"As employees are a top target for cyber-criminals, a strong communication plan must be part of your cybersecurity strategy"

Do you think organizations need to adapt their user awareness training in light of the shift to hybrid working? If so, what techniques are most effective?

Absolutely, security awareness training (SAT) is critical so that employees know their responsibility and what the security team protects them from. Given many employees assume the company security team is keeping them protected, greater education is needed. 

Traditional security awareness training focuses on enforcement rather than how individuals should conduct their business safely. Instead, a more comprehensive SAT approach aims to educate employees on the risks and how to reduce their chances of falling victim in the first place. Informing individuals of what a phishing email looks like is one thing, but actually training them on how to behave and deal with these risks takes security to the next level. Making security usable and transparent is a top priority.  

What other methods can be used to encourage employees to take more responsibility for their organization’s cyber-safety?

Organizations must focus on usable security solutions that work in the background and help the employee get the job done so that the easy path becomes the secure path. This involves providing the necessary information and tools to allow workers to take control of their own security. If it becomes second nature for them, teams will feel comfortable leaving them to it.

Organizations need to make the security measures as accessible as possible so that employees can install, deploy and manage the tools with ease. Above all else, the most effective way of establishing a natural security culture is to align all security goals with the business objectives and reinforce the confidence amongst employees to ask for help if they need it. Allocated mentors are a good way of enforcing this mindset, as they can be on hand to steer individuals in the right direction and connect all the dots if some remain unsure.  

Can IT/security teams do anything differently to help develop a strong cybersecurity culture throughout their organization?

IT security teams must prioritize security solutions that are usable and help reduce cyber fatigue, such as moving passwords into the background, using solutions such as privileged access security that help the employees focus on getting the job done while they can access systems and data securely without the need to take risks.

To establish strong security culture, teams can demonstrate how they’ve successfully prevented cyber-attacks from giving the rest of the company an insight into the measurable benefits secured, including revenue saved. Security is often associated with negative connotations, such as when an attack occurs and the race to mitigate the damage. It’s therefore essential to acknowledge the successes at the same time. Security teams can also promote a cyber ambassador within other business areas to bridge the gap between security and other departments.

What’s Hot on Infosecurity Magazine?