The human layer plays a critical part in both inside and outside threats. The standard approach to managing both these threats relies heavily on security solutions. But without equipping employees to understand their part and take an active role in defending against the threats, the conventional methods are more likely to fail.

Inside threats

Research by IBM Security and Ponemon Institute found that insider risk has been growing since 2016. It also comes with a high price tag. Even in small organizations with fewer than 500 employees, the average cost of insider incidents was $7.68 million in 2019.

Some of the common inside threats include:

• Negligent and careless employees or contractors — IBM’s research found that negligent insiders are the root cause of most insider-related incidents.
• Compromised credentials — with stolen credentials available freely on the dark web, gaining access through a compromised password is more effective than trying to break through a firewall.
• Inadvertent actions or errors — human-driven mistakes such as misconfigured databases or sensitive data stored in unsecure cloud applications create vulnerabilities that can have costly consequences.

Outside threats

Cyberattacks continue to escalate in frequency and magnitude. External actors are behind 70% of confirmed data breaches, according to Verizon’s 2020 Data Breach Investigations Report.

The most common outside threats targeting the human layer are social engineering and phishing. Whether used to propagate malware or steal credentials, phishing is a powerful weapon for threat actors — it’s the top type of threat action in a data breach, Verizon found.

Cybercriminals use social engineering and phishing to pray on human curiosity, carelessness, fear and various other emotions and behaviors that make it easy to breach the human layer. These tactics are effective — 74% of U.S. organizations surveyed by Proofpoint said they experienced a successful phishing attack in 2020.

Organizations can minimize the risks of the human layer with some security solutions, such as endpoint security and email filtering. However, addressing the root cause of the weaknesses in the human layer is a tough challenge without a strong security culture.

Creating a strong culture of security is the best way to get employee buy-in for your security objectives and efforts. And at the core of security culture is your cybersecurity awareness, education and training program.