SANS Institute Releases 2023 Security Awareness Report: Managing Human Risk
Introduction
In an era where artificial intelligence (AI) is fueling increasingly sophisticated cyber attacks, understanding and managing human cyber risks has become paramount. As a response to this growing concern, the SANS Institute, a global leader in cybersecurity training, has released the SANS 2023 Security Awareness Report titled “Managing Human Risk.” This report, based on the experiences of nearly 2,000 participants from 80 countries, sheds light on the escalating stakes in human cyber risks. Notably, the report highlights the vulnerabilities faced by remote workers, with a startling 20% of organizations worldwide reporting security incidents involving their remote workforce in the past year.
The Importance of Human Cyber Risks
Lance Spitzner, the SANS Security Awareness Director and co-author of the report, emphasizes the evolving role of the human element in cybersecurity. He states, “The digital world is expanding rapidly, and with it, the human element of cybersecurity becomes ever more important as it evolves as a primary target for cyber threats globally.” It is evident that cybercriminals are leveraging AI to amplify the sophistication and reach of phishing, vishing, and smishing attacks. Consequently, organizations need to focus on understanding and addressing human cyber risks as an integral part of their cybersecurity strategy.
Key Findings
Top Human Risks
The report identifies several primary human cyber risks that organizations should prioritize. These risks include phishing, vishing, and smishing attacks, along with the challenge of managing password and authentication risks. Building a security culture that encourages effective detection and reporting is also vital. Furthermore, the risk of IT Admin Misconfigurations, particularly within complex cloud environments, is highlighted as an area of concern.
Leadership Perspective
The report notes that security awareness remains predominantly perceived as a part-time commitment within organizations. Alarmingly, 70% of security awareness practitioners disclosed that they dedicate half or less of their working time to this crucial aspect of cybersecurity. This data underscores the ongoing challenge of elevating the importance of continuous cybersecurity awareness within day-to-day operations.
Compensation
For the first time, the report reveals that professionals specializing in human risk management earn up to 5% more than their peers in broader security roles. This finding highlights the increasing demand and value for individuals skilled in managing human cyber risks.
Key Action Items to Increase Program Success
Talk in Terms of Risk
The report emphasizes the need to change the perception that security awareness is solely a compliance effort with little relevance to managing risk. Instead, the focus should be on demonstrating the value of human risk management and aligning it with the strategic security priorities of organizations.
Leadership Support
To ensure strong leadership support, it is recommended to dedicate at least two to four hours a month to collecting metrics about the impact and value of the Security Awareness Program. These metrics, including both formal key performance indicators and success stories, can help leadership better understand and appreciate the value that the program provides.
Team Size
Organizations have historically focused on technical security, often overlooking the human side of cybersecurity. This imbalance leaves the workforce vulnerable to cyberattacks. The report suggests a starting point of a 10-to-1 ratio of technical to human-focused security professionals to bridge this gap and ensure adequate protection from human cyber risks.
Editorial
The release of the SANS 2023 Security Awareness Report highlights the increasing importance of human cyber risks in the evolving digital landscape. As cyber threats continue to become more sophisticated, organizations must recognize that securing their human assets is just as critical as protecting their technological infrastructure. It is no longer sufficient to rely solely on yearly compliance-focused training. Instead, organizations need to adopt proactive measures to manage human cyber risks effectively.
Advice
To address the growing human cyber risks, organizations should invest in comprehensive security awareness programs that prioritize continuous learning and engagement. This includes training employees to identify and respond to phishing attacks, fostering a culture of security awareness, and ensuring leadership support for such initiatives. Moreover, organizations should consider dedicating sufficient resources, both personnel and budget, to build robust human-focused security teams.
Conclusion
The SANS Institute’s comprehensive report highlights the urgent need for organizations to manage human cyber risks effectively. By following the key action items and recommendations outlined in the report, organizations can proactively protect themselves from the evolving threat landscape. It is crucial for organizations to embrace a holistic approach to cybersecurity, which includes both technology and human-centric measures, to safeguard against the ever-increasing cyber threats of the digital age.
<< photo by Resource Database >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Future of Global Security Assurance: A $13B Market by 2030
- The Human Factor: Unveiling Key Findings from SANS 2023 Security Awareness Report
- The Changing Landscape of Cybersecurity: Introducing the 2023 CISO Choice Awards
- Bridging the DNS Security Awareness Gap
- The New Normal: Tackling Linux Kernel Exploits, BEC Losses, and Cybersecurity Awareness
- Two Jira Plugin Vulnerabilities Expose System to Potential Attacks
- The Evolution of Risk Management: TARA and Plante Moran Join Forces
- Building Trust: OneTrust Raises $150M in Funding Round Led by Generation Investment Management
