Human Behavior: An Overlooked Aspect of Cybersecurity

Businesses and cybersecurity experts have been incessantly challenged to continuously develop and implement preventive protocols in response to increasingly sophisticated, coordinated and longer lasting threats. To strengthen cybersecurity, industry leaders must secure the weakest link in the chain: users.

Human behavior is one of the largest risks to a secure network and vital to identify anomalies and prevent cyberattacks. While understanding the technical processes of network security is important for a successful performance, expertise in behavioral analysis is increasingly in-demand and becoming an aspect of cybersecurity education programs.

“While the user may be the greatest vulnerability of companies, users can learn and be aware of threats they cannot see, which cost them their jobs and cause unquantifiable losses for the company,” said Miguel Porfirio Camacho, Vice President IT, AMIS. To prepare the user for potential cyberattacks, AMIS provides education regarding antiviruses, malware, phishing and other examples to help users identify threats. “With the home office modality, it is as if companies had many branches, only without security or security that depends on the user. Thus, users need to independently know how to avoid an attack,” said Camacho.

Physiological processes can lead humans to have different responses to similar situations, said Bismarck Animas, Incident Response Manager, FEMSA. So, cybersecurity teams must familiarize themselves with various pain points. “It is important for cybersecurity professionals to study human behavior, because cyberattackers do. They know exactly where to enter,” said Animas. Thus, companies need to educate and train their employees to avoid these mistakes, he added. This can be done by making training accessible and relevant and implementing security controls that are both effective and easy to use without disrupting workflows.

“Behaviors can change, but responses must be standardized with processes and procedures for a conscious response on each occasion. For example, food chains have solid processes that allow them to have business continuity in branches in different countries. Cybersecurity processes can be equally successful,” said Erwin Campos, Cybersecurity Global Leader, Bimbo.

It is fundamental to differentiate valid human behavior from machine behavior, said Campos. Correctly identifying fraud is also key but companies also have a responsibility to provide tools to reduce human weaknesses and exposure to different attacks.

Humans are the easiest target because manipulating people is easier and faster than trying to violate a simple system, Campos said. This is why training and security awareness are the best tools to identify threats and allow users to easily report them.

Social engineering attacks, which are becoming more common, can also be highly personalized. A perpetrator first studies the intended victim to gather necessary background information, such as potential points of entry and weak security protocols to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources. Attackers also take advantage of popular topics or current events. During the COVID-19 pandemic, Animas explained, attackers lured victims with the promise of news about the virus, vaccine and treatment. When users are home, these attacks can take the form of payroll emails.

“There is even a software that is dedicated to social engineering, which is why we are strict even with streaming services in work computers. Users might think we exaggerate but it is better to do so,” said Camacho.

The use of friendly language has greatly helped experts to raise awareness and train people more effectively, said Animas: “We had to lower our IT ego and begin to listen to collaborators and the business itself to learn how to communicate that the point is to defend the business so that it operates safely.” Being flexible with other collaborators helps them feel comfortable raising their voice in case of a suspected attack.

“Also sensitize bosses and go as far as to simulate a cyberattack to see how people react to know what needs to be improved,” said Camacho. Providers would also benefit from investing in machine learning and AI to facilitate processes for customers because “these tools learn for users’ behaviors. Investing in security will avoid losses in other areas,” said Camacho.

Through training and education users can “understand that they are also responsible for the company's security, but also of their own private security. This way, they can avoid falling for personal or professional attacks,” said Elizabeth Peña Jauregui, Head of Government and Industry Relations, Ericsson LATAM North.