According to INCIBE and ENISA, cybersecurity incidents have increased by around 24% in the last two years (ENISA 2024, INCIBE 2023). For ENISA, the human factor remains the weakest link (ENISA 2024). Most security breaches are caused by human error, lack of training, or negligent attitudes (Liu and Lin 2022).
One of the most significant security events in recent years, the Crowdstrike incident, which affected 8.5 million Windows systems in July 2024 (Reuters 2024, Financial Times 2024), was not the result of a cyberattack, but rather the consequence of human error. Recently, Clorox sued its IT provider, Cognizant, for alleged negligence, as the attackers apparently obtained administrator credentials with which they launched ransomware simply by asking via support chat, without the need for any malicious tools. So how can the risks associated with human behavior be effectively addressed?
It would be desirable to contain them with technology, since in some cases it could significantly mitigate risky behavior. Why not focus cybersecurity exclusively on technical measures? Wouldn’t it be more effective if corporate security took care of security and employees took care of doing their jobs?
The answer is clear: there is a balance between security and operability. In other words, it is not possible to guarantee a completely secure environment without compromising employee performance. The human factor can never be completely eliminated. Criminals know this and seek to exploit it to achieve their goals. Furthermore, technical measures can fail. And this would leave people and organizations completely exposed.
This is where awareness plays a crucial role. Awareness of the risks arising from our actions and situations that pose a greater risk provides us with a layer of protection that technology alone cannot offer. According to Alshaikh, Maynard, and Ahmad (2022), a high level of technical knowledge contributes to the adoption of safe practices, and risk awareness influences, albeit to a lesser extent, intention and action. There are many situations in which employees’ understanding of risks and safe practices has implications for security at BBVA, including, among others: relationships with suppliers, complexity, custody and sharing of credentials, two-factor authentication activation across all services, and strict compliance with protocols and procedures, especially those related to the verification of third-party identities.
In the age of artificial intelligence and personalized attacks, criminals develop and exploit new vulnerabilities every day, and in this scenario, protection can only be based on people’s knowledge and level of awareness. According to Roberto Ortiz (BBVA 2020), Global Head of People Information Security at BBVA, the human factor has become the main tool for protecting organizations. However, Ortiz (2020) himself points out that there is a shortage of professionals with mixed skills in security, engineering, and data analysis, which makes it difficult to provide adequate defense in an environment with growing volumes of information. Therefore, and also in the words of Ortiz, security can become a competitive advantage if positive user experiences are designed. The challenge is to adapt awareness to the reality and needs of each group.
A cross-cutting and multidisciplinary approach based on human risk management begins with policy and involves incorporating the human factor into the processes and procedures of the entire organization. According to INCIBE, the human factor is the most important link in security and is under control with a good security policy (INCIBE 2018).
Cookie settings
