Skip to content

Illustration by iStock

Humans Remain the Biggest Risk to Cybersecurity

Possibly more than ever before, it is the human element of security that presents the greatest threat to organizations’ cybersecurity, according to the latest report from SANS Security Awareness.

More than 82 percent of all data breaches are caused by human-based risks, including phishing, business email compromise (BEC), and ransomware, according to the 2022 Verizon Data Breach Incident Report, which was released in early June.  

There are apparently two key reasons for the increase of human-based risk, according to the SANS 2022 Security in Awareness Report.

The first is that organizations are failing in recruiting sufficiently diverse security awareness talent. The number of security awareness professionals who have a background in training, communications, human resources, or other skills necessary for security awareness training is less than 25 percent. “This can help explain why so many awareness programs struggle to engage their workforce,” the report said.

While a strong technical or security background can help shore up an organization’s defenses, there are some downsides to a team that lacks diversity.

“…Having ‘too technical’ a background can also sometimes mean the person lacks the skills to effectively communicate those risks or meaningfully engage employees,” the report said.

The second reason is that attackers understand the enormity and opportunity that human-based risk offers, and have therefore created increasingly sophisticated attacks. “People have become the primary attack vector for cyber-attackers around the world,” said Lance Spitzner, SANS Security Awareness director and co-author of the report.

“This year’s report once again identifies what we have seen over the past three years: that the most mature security awareness programs are those that have the most people dedicated to managing and supporting it,” according to the report. SANS Security Awareness, part of the SANS Institute, analyzed data from more than 1,000 security awareness professionals.

The report noted that the most mature security awareness programs were the ones with the “most people dedicated to managing and supporting it.” With a more mature program, organizations can better manage human-based risk.

“The most mature security awareness programs not only change their workforce’s behavior and culture but also measure and demonstrate their value to leadership via a metrics framework,” Spitzner said.

This means going beyond basic annual training requirements that only ask participants to check a compliance box. Demonstrating the need for more to leadership can illicit key support.

Along with gaining support from leadership and increasing the number of people on an awareness team, an organization can further mature its awareness program by increasing the frequency of its training for the workforce. This does not need to be overly complicated or expensive—it can be as simple as a webcast on ransomware or a guest speaker who can provide information about identity theft, such as a member of law enforcement.

Another finding from the report was that for the second consecutive year was a significant pay gap between employees who are dedicated to security awareness efforts full-time versus part-time.

“Those dedicated part-time to security awareness are paid as much as $30,000 more annually than those who work at it full-time,” the report said.

Much of the disparity comes from an issue with perception. While those in full-time security awareness roles are compensated specifically for their positions on the security awareness team, staff who work part-time with this team are likely already part of another team, such as security or information technology.

“Their higher salary could be a reflection of them being compensated for other security or technical skills,” the report said. “Those who are dedicated full-time to awareness often have non-technical backgrounds, such as communications, and are compensated specifically for their security awareness role, which is often not as valued as most other security roles.”

And with unprecedented numbers of employees participating in remote or hybrid work, attackers continuing to focus on employees as a point of entry into an organization's system, the COVID-19 pandemic, and other recent events contributing to fatigue among the workforce, improving security awareness is perhaps more crucial than ever.