Cybersecurity is a significant challenge for all sizes of organisations. Yet, the human element is still the weakest link in the chain. However, cybersecurity awareness and education for employees remain the lowest investment of an organisation’s spending on their security. Technical controls are the most significant investment. Solutions to improve network security such as intrusion detection systems, firewalls, and multi-factor authentication protect against a wide range of threats from outside of the organisation, but 90% of all threats are based on social engineering attacks that involve manipulation of human assets for financial gain. Cybersecurity professionals can even fall prey to these attacks as they become more sophisticated, exploiting human psychological vulnerabilities.

Humans are often unaware of how vital data is to an organisation and that there are huge risks attached to this data if it were to get into the wrong hands. Casual behaviour and simple mistakes such as clicking on a link in an email can lead to financial loss, reputation damage, and lost client confidence. With a more globally connected workforce and hybrid working becoming the norm, the risks of a cyberattack are growing exponentially as workers have even fewer security controls in place at home. Without supervision, they are much more likely to make mistakes, which could be disastrous to the organisation.1

How does a cybercriminal make use of human weaknesses? This typically comes in two forms. The first involves some kind of surveillance on their target. They then use the information obtained to tailor an attack on the business in the hope of gaining user credentials or some other sensitive information that they either sell back to the business or onto a third party. The second is more a hit and hope type of campaign. The attacker tries a more generic attempt, which is usually automated and in bulk, hoping to get lucky. These campaigns typically use a recent event, such as the global COVID-19 pandemic, to pull on the heartstrings of their target by creating a perfect environment for cybercriminals to gain an advantage in what we call fearware. Preying on fears of humans can entice users to click a link or download malware quickly. Cybercriminals use this practice to positively affect healthcare facilities at the beginning of the COVID-19 pandemic. Hackers sent phishing emails that contained malicious links. When the user opened these emails, clicked on these links, it then downloaded malware onto the device and encrypted the sensitive data of the facilities. Then the criminals requested payments to unlock the data, or they would delete it permanently.

To conclude, humans are the ones that built computers, designed software; they are both the attacker and the victim. Simply put, cyberattacks require humans to be effective2, and they also require humans to thwart them. Businesses need to lower the human risk, which starts with employee cyber awareness training.