SPEAKER_01 0:00

Welcome to BCF Connects. This is our episode one for our podcast focusing on cybersecurity. My name is Hareth Pek. I am the managing executive for cybersecurity. Very importantly, when we're talking about the human risk in cybersecurity, when people think about cyber and the risks around cyber, they often think about hackers, they think about firewalls, AI tools. But ultimately, one of the biggest risks is much closer to home. That is us, the human element. A few years ago at a cloud security conference, I spoke about something called cybersecurity fatigue. And this is a reality where people from employees through to security teams are so bombarded with alerts, rules, messages that vigilance drops, mistakes creep in, and when the humans slip up, that is when your threat actors strike. So today with me I have my colleague and our subject matter expert Chris Bester. Chris is one of our um senior consultants, and we're gonna unpack the human factor and you know why it's perceived to be the weakest link in cybersecurity. So welcome, Chris. Thanks, Harry. Welcome to episode one. I think most importantly, you know, we we want to focus on how we turn our people, um, turn people to be our strongest defense. I don't typically like the term when people say that humans uh factor is the weakest link. I probably I I prefer to uh refer it as the most common threat actor, the most common threat vector. So um, and there's a typical psychology around why attackers uh target humans, you know, and Chris, one of the things we see over and over is that the threat actors don't go after firewalls, they don't go after you know the systems directly, you know, they first go after the people. So phishing, pretexting, you know, exploiting trust and urgency. Um, I think the one thing that I'd like to uh uh understand is you know, why do you think humans remain the preferred target?

Why do humans remain the preferred target

SPEAKER_00 2:18

Oh thank you. You you mentioned already uh alert or uh cybersecurity alert fatigue. The other part of it, you know, is is message fatigue. I mean you you wake up in the morning and you already have 27 WhatsApps, you have eight or nine urgent emails that you have to attend to. You have a bombardment of push notifications on your phone, you have um breaking news from BBC and all those kind of things. So it's you're getting bombarded with you you with digital noise from the before you even have your first coffee in the morning. Um with the when believe if we don't want to believe it, but the phones are our phones are actually now managing our lives 100%. And and and and that's the kind of thing.

SPEAKER_01 3:10

So you get message fatigue, and with that, you know, comes this little bit of cognitive shortcuts that you take, and you you don't pay attention or as much as you and and I I like that the cognitive shortcuts because that is typically where we see social engineering becoming so effective because social engineering is still the most successful attack vector. Um, some uh analysts uh go as far as saying 74% of breaches still involve the human element and related directly to social engineering. So we we we see that the employees are overloaded with systems and rules, and you know it becomes a challenge for them. So um I think the one thing on that fatigue where it also bombards uh um uh employees because it's agreed that one of the ways to um uh remediate or to fix the human factor is around education. So education is really a big factor, but there is a bit of a downside to some of the education tactics because employees are also bombarded with phishing tests, you know, constant MFA prompts, security training. And it has to happen, right? But security teams themselves are drowned uh in thousands of alerts, and over time people disengage, and then that's when incidents slip and mistakes happen. I think how uh for me, Chris, I think uh I'd like to think of what would be

The balance organisations can strike to enforce controls while maintaining staff engagement

SPEAKER_01 4:37

that balance that organizations can strike to enforce the controls while keeping staff engaged. I mean, that's always the you know the interesting balance of where you find it.

SPEAKER_00 4:47

Yeah, I mean it is you're right, we need to find a balance. And and um if you think about it, you just going back to one of the statements you made when um the health red actors, they they big organizations now, they're not just the script kiddy around the corner anymore, and they employ some of the best behavioral scientist uh behavioral scientists and behavioral um analysts and and psychologists to help them target the individual. And you know, with our our education and and our um awareness test and all those kind of things, be on bar and people get numb to it, you know, and they they start responding to like a tick box, like a tick box, but they're responding to uh you know that's what they want to see, so let's give them what they want to see type of thing. But it leads us to also with this message overload or digital overload, you know, uh we make mistakes. And everybody makes mistakes, you know.

SPEAKER_01 5:52

So that's and that psychology is an interesting one because um, and it's something we do we need to acknowledge because people run on habit, right? And security often interrupts those habits, yeah. So it adds stress, it uh you know, tight deadlines, information overload. Those are those psychological elements are also what gets exploited, you know, when your threat actors you know send phishing emails. We've seen um an example of uh um there was phishing emails, there was deep fakes of where uh employees receive mails where they perceived it was from the from the management or from the CEO and they released payments. You know, there's a lot of examples like that, you know. So that added element of stress, you know, uh there's a psychological element to that. Definitely.

The Cybersecurity Culture

SPEAKER_01 6:39

I think um the one thing we can agree is that you know the one way is education, but what trumps education is culture, right? So I always say that uh you know awareness isn't the same as culture. So I mean, you can do training all year, but if you know, if it's not in the culture of the organization, if even if like the leaders of the organization themselves bypass MFA, if they rush through security, you know, the culture collapses because the security culture goes from boardroom to the basement. It's everyone's responsibility. That's right. Um there was a there was an interesting study done by Dell where they basically assessed um um you know the people element from a cyber perspective, and the one thing that came out of that was where people felt that cybersecurity wasn't their problem, and that's the fundamental issue. It's everyone's problem. Exactly.

SPEAKER_00 7:34

Yeah, yeah, I mean it's our our our threat actors, they they're counting on us to to do something stupid because you know it's um all of us are doing something stupid to some things. My my late dad used to say there's no there's no there's not a pull for stupidity, but we wish there were, you know. Um we're all prone to that, and that's where the culture it comes in. Um I think we we had a discussion earlier where you talked it needs to become something like uh uh memory, yes, you know, a memory action like putting on the seatbelt. Exactly. Yeah, exactly. Uh you don't even think about it, it just needs to be part of your fabric, of your culture, yeah.

SPEAKER_01 8:19

Correct. Because I mean, if if you think back, I mean, how how cybersecurity has evolved over the years. If I look back 15, 20 years and I'm giving my age away, I mean, when people spoke about cyber, they they thought about a firewall and antivirus. Exactly. You know, now cybersecurity is a very complex discipline with multi-layered disciplines in there, and um, and these are all things that that we need to be aware of, you know. So, but I think the shared accountability is is really uh one of the key things as well, because as executives, you know, we can't delegate cyber to IT anymore, it's not an IT problem. I think uh cyber is an enterprise risk, it's uh everyone's risk. Um that means like I said, from the boardroom HR right through to the basement, everyone has to play their part. So um I've seen um um you know challenges where people don't buy in to the uh the you know cybersecurity culture, but and then that's where you see the mistakes come in. So you know it's it's it's about how accountability can um cross um um the lines on the business side.

SPEAKER_00 9:28

That's true, yeah.

SPEAKER_01 9:30

So I think what one one one other interesting element is you know um when when it comes to culture, you know, the the the culture um it's it's something that shouldn't be done um on one month of the year. And I that's true, it's we have cybersecurity, awareness month, etc. But cybersecurity is not limited to the one month, right? So it's it's the whole year. So it's uh it's something that that needs to happen all the time. So the awareness isn't enough.

SPEAKER_00 10:01

So every time you switch on your phone or your computer, yeah, correct. You you are exposed, yeah. 100%.

SPEAKER_01 10:08

So and and and and I think, and we've seen a lot of organizations, they invest billions um into the technology, into security in the environments, etc. And so you'll find some levels of arrogance that organizations would have, or they'll say we'll have a fool a foolproof system, or we have the best of breed security solutions. But we know, you and I both know, there's no such thing as uh foolproof system, there's no silver bullet for cybersecurity. You know, there's that old saying, you know, um you think it's foolproof, but you're underestimating you know the creativity of the fool. But so I think for me, the the the uh the takeaway, you know, the human factor will always be the target, you know, attackers exploit trust, fear, um, you know, fatigue. But with the right culture, people can become our strongest defence. The technology alone won't save us, right? I mean, it's about building resilience in people, not only the technology. So designing policies, and also we need to be cognizant and respect the human limits. I think that that is an important uh psychological element to it as well. Um, and creating cultures where security is part of the everyday behavior.

SPEAKER_00 11:21

Yeah, yeah. No, that culture, uh the almost can you call it a culture shift is very necessary. So we have to it we need to become part of our daily fabric.

SPEAKER_01 11:32

So and and and and why it's important is because you must remember cybersecurity is not limited to the confines of your working environment because we're all using technology at home, our children are using technology, so that culture needs to be inculcated both at home and at work. Um, the same kind of behaviors, uh you know, because it's you get layman on the street that also gets exploited exploited by you know clicking on a phishing email or get exploited through uh social engineering, you know, money gets stolen out of their bank accounts. I've seen examples of these kinds of things. So the culture needs to be um pervasive across the borders of enterprise and home. I think that's that's a very important thing. So, Chris, thank you. Thank you for joining me on episode one. I think thank you for the insights. Um, and thank you everyone for tuning in. Remember, cybersecurity isn't just about systems, it's about people. So, until next time, stay sharp, stay safe, and you know, be cyber away. Thank you very much.

SPEAKER_00 12:31

Thank you.