There is no silver bullet when it comes to cybersecurity. Attacks are inevitable, so it’s counterproductive to play the blame game and scapegoat security practitioners who are doing their best with the limited resources they have.

The realm of cyberspace is vast. We have created digital challenges and yet expect people to flawlessly navigate them, and every piece of technology in an organisation comes hand-in-hand with inherent risks.

So instead of placing the burden of risk mitigation solely on security teams, it is important to build a culture of security awareness, a workforce that is cyber-vigilant, and prevent end users from being digitally coerced by cunning threat actors.

Cancelling blame culture

As Alexander Pope once said, “To err is human”, and we need to acknowledge that everyone makes mistakes at some point. This is why it is essential to nurture a culture that encourages employees to understand and adhere to company protocols when it comes to cybersecurity. When staff members inadvertently click on a malicious link or download a suspicious file, they face a choice: either ignoring the mistake or taking responsibility and reporting it.

A blame-oriented cybersecurity culture discourages individuals from reporting their mistakes, which increases the risk of the threat causing real damage to the business. On the flip side of the coin, creating an environment that welcomes and encourages self-reporting can foster a transparent cybersecurity culture.

This, in turn, enhances vigilance among employees and promotes their active involvement, ultimately reducing the surface area that is vulnerable to cyberattacks.

Rather than subjecting employees to penalties for failing phishing tests, we should focus on developing a culture that empowers and supports a cyber-vigilant workforce. This approach will yield far better outcomes in terms of cyber risk reduction.

Where does the buck stop?

Who should be held responsible when a business falls victim to bad actors? The answer, as is often the case in cybersecurity, is that it depends. It has become painfully clear that simply instructing users not to click on malicious links or fall for social engineering scams is ineffective.

With this in mind, the UK’s national cybersecurity centre has provided new guidance, encouraging entities to move away from fear tactics when it comes to security awareness training.

Instead, it recommends focusing on blending technical security measures with an environment that nurtures a sense of ease among employees, enabling them to report potential phishing attempts or malicious links without fear of retribution.

Rarely should the blame for a security incident be placed solely on the end user. Users already have many other things on their minds in order to do their jobs effectively, so expecting them to be security-conscious 24/7 is unrealistic. It falls upon leadership to create an environment where workforces can avoid falling victim to social engineering attackers.

Take, for instance, the Uber breach earlier this year, where an 18-year-old hacker used a multi-factor authentication (MFA) fatigue attack. Also called MFA bombing or MFA spamming, these attackers employ repetitive tactics by sending multiple second-factor authentication requests to the victim’s email, phone, or registered devices.

The object is to pressure victims into verifying their identity through notifications, thereby unintentionally authenticating the attacker’s efforts to gain access to their account or device.

Technically, the responsibility for the breach rested with the employee who unwittingly authenticated the attacker’s requests. However, instead of punishing the employee for an honest mistake, neither Uber, the media, nor the cybersecurity industry placed the blame on them.

Instead, they understood and empathised with the unfortunate circumstances that led to the incident.

Everyone is vulnerable

Social engineering attacks are cunningly crafted and designed to target employees whose focus is elsewhere. Everyone is vulnerable, irrespective of the amount of security awareness training they have had, and it’s important to remember that not all attacks are equal. One needs to look no further than Twitter as an example.

Should the social media platform fall victim to another breach in the near future, it is unlikely to garner any sympathy, because Elon Musk effectively dismantled the security team soon after assuming control.

His actions resulted in the layoff of over half the company’s staff and the departure of compliance, privacy and information security leaders. Concerns have been raised by both domestic and international government agencies about the safety of Twitter as a consumer product, placing Musk in the spotlight for any potential future security incidents.

According to a recent survey, 47% of senior IT executives say they would place the blame for a breach on their cybersecurity or IT team, and a mere 12% of executive leaders would take ownership themselves. Many entities hire chief information security officers (CISO) seemingly only so they can pin the blame on them should a security incident occur. This fuels a toxic work environment and an under-resourced security team.

A 2020 Nominet backed this up and revealed that the average tenure for a CISO ranges from 18 to 26 months. Similarly, nearly a quarter of CISOs claim that their company’s governing board fails to comprehend the inevitability of breaches and hold them personally accountable for any security incidents that occur.

Another, 20% stated that their contracts would be terminated even if they had no responsibility for a breach whatsoever.

Building an awareness culture

Blaming end users or solely burdening security practitioners and leaders with accountability is not the answer. They can only do as much as they can with what they have in terms of tools and skills.

So instead of promoting a blame culture, we should be building a security awareness culture that goes beyond educating staff on what to look out for in terms of phishing e-mails and similar, to making the business aware of what the risks and threats are; and making everyone accountable instead of leaving all the responsibility to the security team.

It’s also important to remember that too often, the security team will recommend the business adopt a new approach or similar, but is told there’s no budget for it at the time. Unfortunately, getting buy-in from the business is harder than one might realise, because most of the time, businesses only truly understand how important cybersecurity is once they have suffered a breach.

Learn more at arcticwolf.com

The goal of any solid cybersecurity strategy is not to have a big team or a lot of tools in place: it’s to increase the company’s security posture over time. It’s about having a strategic mindset around building operational efficiencies into the security strategy and building broad visibility across the entire attack surface.

It’s also about making sure that the business is getting the right intelligence from the right resources to build protection and operational efficiency into the strategy. And for those without the budgets for large security teams, working closely with a partner that can deliver a full security operations platform is essential.