AS our lives become increasingly digital, from online banking and social media to remote work and cloud storage, the importance of robust cybersecurity measures cannot be overstated.

Cyber threats pose significant risks to individual privacy, financial stability and national security.

In recent times, the significance has become apparent, and there is a push for more to be done in the space as cybersecurity threats and attacks have become more prevalent, be it data breaches, phishing, identity thefts or malware.

This has led to substantial investments in tools and software defences and the nurturing of human resources and talent in the space.

Over the past years, there have been substantial advancements in cybersecurity tools and software defences. Innovations such as artificial intelligence (AI) and machine learning have revolutionised the way we respond to cyber threats through sophisticated anomaly and malware detection as well as threat hunting, to name a few.

Advanced encryption techniques and multi-factor authentication have also strengthened the security of data transmission and access control.

These tools have made defence against cyber threats more efficient than ever before but despite all this, successful attacks are still looming and growing. The human element continues to be the weakest link and this will continue to happen until it is strengthened.

No matter how sophisticated the technological defences are, they can be easily undermined by human error and unpredictable behaviour.

Humans are inherently susceptible to social engineering tactics, such as phishing attacks, which exploit psychological manipulation to deceive individuals into divulging confidential information or performing actions that compromise security.

A report by IBM highlights that phishing remains the lead infection vector, a factor of 41% of all incidents remediated, emphasising the critical role that individuals play in the overall security landscape (IBM, 2023).

In a security context, human error refers to unintentional actions or omissions by employees and users that result in, facilitate or permit a security breach to occur. This encompasses a wide range of user behaviours, from down-loading malware-infected files to using weak passwords, which make it challenging to address.

The increasing complexity of work environments, with a growing number of tools and services used, leads employees to take shortcuts by relying on multiple usernames, passwords and other credentials.

Furthermore, the constant threat of cyber criminals employing social engineering tactics further complicates the situation as employees can inadvertently provide sensitive information or credentials to malicious actors without the need for sophisticated cyberattacks.

Verizon’s 2018 cybersecurity breach report identified misdelivery as a top-five contributing factor to security incidents (Verizon, 2018). With email users frequently relying on automated assistance such as address auto-complete, inadvertently sharing sensitive data with unintended recipients is an ever-present risk that companies must address.

Additionally, according to the National Centre for Cyber Security’s 2019 report, the findings indicate that the password “123456” continues to be one of the most used passwords globally, and 45% of individuals reuse the same password across other online services (National Cyber Security Centre, 2019).

The root cause of most human errors in cybersecurity is the lack of user awareness and knowledge. Uninformed employees are highly vulnerable to phishing scams and public network breaches that expose their credentials.

This deficiency in cybersecurity know-how is not the users’ fault but rather the responsibility of the organisation to address by ensuring its end-users have the necessary knowledge and capabilities to protect themselves and the business.

Some notable strategies to mitigate human errors include providing regular training to keep employees updated on the latest threat vectors and implementation of phishing simulations to test and improve employee vigilance.

It is also noteworthy that company culture plays a role in cultivating security awareness and encouraging a security-first culture, where employees feel responsible for protecting organisational assets, leading to significant progress.

IBM also noted that regular cybersecurity training and simulations were highly effective in reducing incidences of phishing attacks. It emphasises that people can learn significantly through experience, and activities based on this, such as simulated attacks and interactive training, can significantly improve employee response to real threats.

At Heriot-Watt University, staff will intermittently receive an email of suspect origin sent by the Security and Compliance Team as part of the internal anti-phishing education campaign. By reporting a phishing email, staff will be greeted with a congratulatory note as part of the gamification campaign to promote improved learning and retention and behavioural change.

Although technology can assist in cybersecurity defence, irrational and often unpredictable human behaviour necessitates a focus on enhancing human awareness and vigilance.

Continuous education and training, coupled with experiential activities, such as phishing simulations and interactive workshops, are paramount to bolstering overall cybersecurity efforts.

By fostering a culture of security awareness and equipping individuals with the knowledge and skills to recognise and respond to potential threats, organisations can significantly reduce the risk posed by human errors.

The writer is from the School of Mathematical and Computer Sciences at Heriot-Watt University Malaysia. Comments: letters@thesundaily.com