From Weak Link to Defensive Line: People in Cybersecurity

Em Blog Sec Video Image

Employees need to know how and where they are being targeted

When it comes to cybersecurity, it’s no secret that people’s actions loom large—both as liabilities and as potential solutions. From phishing emails to shadow IT, individuals—their mistakes and their ingenuity—are central to the story of data breaches. Learn what the numbers say and how organizations can manage this critical part of their security posture in the latest episode of Security by the Numbers with Exact Market.

Examining the Human Element

The 2024 Verizon Data Breach Investigations Report revealed that the human element was present in 68% of breaches.1 These incidents range from phishing scams that mislead employees into clicking malicious links to accidental mishandling of sensitive data. People impacted the cost of a data breach in three key ways:

  • Shadow IT. Access to unofficial copies of company information stored outside IT’s control was implicated in 35% of breaches, and these breaches cost 16% more than average.2
  • Stolen credentials. Breaches involving stolen credentials take an average of 292 days to identify and contain. That’s nearly a year of exposure, during which attackers can wreak havoc or simply watch and learn. The average cost of these breaches was $4.81 million.3
  • Phishing. This common method for stealing credentials averages $4.88 million in damages. Combined, phishing and stolen usernames and passwords are the initial infection vectors for 27% of attacks.4

Malicious insiders are a distinctly different category of threat. The Verizon report deliberately excludes this cohort from the tally of the human element, instead focusing on unintentional errors rather than deliberate, harmful intent.5

Solutions That Work: Balancing Security with Usability

While the risks posed by human error are daunting, effective ways exist to mitigate them. The answer isn’t locking everything down to the point where employees can’t work efficiently—an approach that often leads to those riskier shadow IT practices—but instead, finding a balance between security and usability.

  1. Fortify your defenses with identity security. Multi-factor authentication (MFA) is a powerful tool, yet its adoption varies widely. Among large companies with over 10,000 employees, 87% use MFA. For medium-sized businesses (26-100 employees), adoption drops to just 34%. That’s alarming when you consider that 99.9% of compromised accounts did not use MFA.6,7,8

    IT teams can go further in efforts to fortify systems. Zero-trust network access (ZTNA) provides an additional layer of protection. By analyzing contextual data like user location or device type, ZTNA can block unauthorized access attempts, even when credentials are compromised. According to Gartner, 63% of organizations have at least partially implemented zero-trust strategies, but smaller businesses have significant ground to cover.9

  2. Educate to empower: Building a security-first culture. Employees may groan at the thought of yet another training session, but education is essential. Phishing tests, while common, are just the beginning. Comprehensive security awareness training can teach employees to spot sophisticated social engineering tactics—even those augmented by deepfake technology—as well as good password hygiene and secure email practices.

Prepare Employees to Safeguard Your Business

People will always pose some level of cybersecurity risk, but they can also be a powerful defense. You can transform vulnerabilities into strengths by equipping your team with robust tools like MFA and zero-trust frameworks combined with comprehensive and adaptive training. Employees, when empowered, can become proactive protectors, reducing the likelihood of security incidents.

  1. Verizon, Verizon Data Breach Investigations Report, May 2024
  2. Ibid.
  3. IBM, IBM Cost of a Data Breach Report, Jul 2024
  4. Ibid.
  5. Verizon, Verizon Data Breach Investigations Report, May 2024
  6. Google and Mandiant, M-Trends 2024 Special Report, 2024
  7. Market.us Scoop, Multi-Factor Authentication (MFA) Market To Hit USD 49.7 Billion by 2032, Mar 2024
  8. Microsoft, Security at your organization: Multifactor authentication statistics, Aug 2024
  9. Gartner, Gartner Survey Reveals 63% of Organizations Worldwide Have Implemented a Zero-Trust Strategy, Apr 2024