Your tech tools won’t save you from cyber threats

A padlock resting on a keyboard.
(Image credit: Passwork)

The boards are finally recognizing the cybersecurity as a strategic priority for building resilience. Generative AI, escalating cyberattacks on supply chains, and persistent ransomware incidents are some of the key trends making it more difficult to keep enterprises secure.

Yet, many business leaders overlook the importance of equipping their workforce against these threats. Astonishingly, while 65% of directors expect a major cyberattack within a year, almost half admit their organizations are ill-prepared. This oversight is compounded by a lack of effective metrics to gauge workforce cyber capabilities, hindering timely skill development. The focus often leans heavily towards technological solutions, but a balanced, people-centric cybersecurity strategy is crucial in fortifying against cyberattacks.

Comprehensive preparedness: before and after the cyberattack

Utilizing an industry-standard cybersecurity framework, businesses can examine organizational readiness for scenarios both pre- and post-cyberattack, termed "before and after the boom."

The study conducted by Immersive Labs, involving both technical staff and executives shows that while companies are generally well-prepared for the initial stages of an attack, the skills required – and thus the preparedness needed – intensify significantly in the aftermath.

In short, defenders must expand their skillset to effectively counter "after the boom" tactics outlined in the framework. There's further risk that reliance on technology for detection may lead to underprepared workforces for these later stages.

For comprehensive risk mitigation, organisations need to be equipped for both the early and later stages of an incident. While many organisations focus on the initial, observations indicate a gap in preparedness for the mid to late stages of the attack lifecycle. Leaders must not underestimate the importance of capabilities required in these later stages, such as detecting and mitigating attackers’ efforts to maintain a presence within the network.

Max Vetter

VP of Cyber at Immersive Labs.

Adapting training to evolving threats

When research reveals that junior employees are tackling challenges that are, on average, 5% tougher than senior counterparts it becomes essential for leaders to formulate a plan to prevent complacency. This plan should focus on equipping everyone across their team through stimulating and quantifiable cyber drills aimed at fostering resilience.

Central to an effective cybersecurity strategy is the understanding of human psychology and the cultivation of a cyber-aware culture. Organizations falter when they overstress systems and processes, neglecting the crucial role of human action in countering threats. Human elements bring unique challenges; unlike systems, individuals grapple with recovery from setbacks and are prone to cognitive biases that can delay threat detection and hinder crisis response.

Cybersecurity is a field where one is never truly ‘done’– despite making strides, the onslaught of threats is relentless, and a single error can still have devastating consequences. This ongoing battle is not only costly for businesses but also exacts a significant toll on the mental wellbeing of those in the cybersecurity domain.

Simply put, nurturing a people-focused approach to cybersecurity isn't akin to fixing system flaws. It requires a concerted effort to foster a strong cybersecurity culture, one that doesn't emerge spontaneously but through deliberate, strategic, and ongoing efforts.

Taking a people-centric approach to training

In addressing people-centric cybersecurity, it's crucial to understand that this approach differs fundamentally from rectifying system or procedural weaknesses. It's about proactively preparing them through engaging cyber exercises that build resilience, moving beyond a sole reliance on technology.

The key lies in adopting a psychological perspective to foster cyber resilience in four key areas:

  • Adaptation: This involves adjusting thoughts and behaviours in response to cyber threats. Effective adaptation is crucial, enabling individuals to learn from errors and recognize their vulnerabilities to attacks, as opposed to counterproductive behaviors like denial or inflexibility. 
  • Confidence: This relates to an individual's belief in their ability to manage cyber threats, encompassing technical skills and emotional resilience. Building confidence is vital for organizational competence in facing cyber challenges. 
  • Communication: It’s vital for teams and individuals throughout the organizations to work together and communicate effectively before, during and after a crisis. 
  • Growth: Cyber threats, while stressful, offer opportunities for learning and self-improvement. Given that attackers often have the initial advantage, continuous self-development and a mindset of ongoing improvement are essential.

By focusing on building a cybersecurity culture that prepares individuals, organizations can enhance their cyber resilience, encompassing adaptation, confidence, social support, and growth, thereby bolstering overall defense.

By investing in training, companies can build a more resilient and prepared workforce, ready to tackle both present and future security challenges. This people-centric approach, coupled with the right technological tools, will empower organizations to stand firm against the evolving landscape of cyber threats, ensuring a safer digital future for all.

We feature the best Disaster Recovery service.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Max Vetter, VP of Cyber at Immersive Labs.