In 2024 organisations will turn to human risk management to counter cyber threats, says Louise Douglas, Director of Security Strategy and Culture at KPMG, in an SJUK exclusive.
In a world where 74% of breaches contain a human element, I believe 2024 will be the year traditional security awareness comes of age and transforms into something new.
This year marks the 20th anniversary of the first Cyber Security Awareness Month, when security awareness and education went mainstream. Its launch was a turning point for security leaders, who started to recognise that technology, policy, and background checks couldn’t hold back the tide of cyberattacks; to secure an organisation, you must help individuals within it to operate securely.
We have come a long way in the last 20 years: cybersecurity training and awareness has moved from a ‘side of the desk’ activity to a profession with thousands of practitioners who have built a body of knowledge on how to change behaviour.
Recently, some specialists have started to differentiate and move out of the traditional awareness space into something new: human risk management. It’s more than a simple name change; although the name alone acknowledges that managing risk is why “awareness” exists, it’s a broader, more impactful, holistic view of how we manage people-centred risks in security.
You may ask what cyber human risk management looks like, and that’s still up for debate across the sector. For me, it’s managing the full lifecycle, proactively identifying risk and risky behaviours from a range of feeds and data sources; delivering interventions or influencing others to deliver them to mitigate risk; and measuring the impact. Maturity in this new world includes leveraging behavioural science to influence behaviour change, and understanding user experience to simplify security, reducing friction and decision points for end users while maintaining security posture.
Awareness and education still have a critical role to play at the intervention level, but so do policy, process, and technology.
For the sceptics who think it is a buzzword, just take a quick look online. Vendors are recognising the change too, and in the last year there has been a growing number investing in platforms to support this shift.
So why now? As security professionals, we are too aware that any change in technology is closely followed by threat actors trying to exploit it: The Blanc brothers hacked the optical telegraph in 1834, and the eruption of internet use in the 1990s was followed by a malware boom. Our evolution, as humans, runs at a much slower pace and so when new threats emerge, our ability at an individual level to spot them takes time to develop. That is what threat actors exploit.
Now we have moved into the age of AI which is already increasing the proliferation of phishing and vishing attacks. But the potential is far greater. AI can increase the sophistication and precision targeting of phishing and social engineering attacks which, when coupled with a surge in volume, takes the threat to unprecedented levels.
While the case for awareness to transform into human risk management has been there for some time, it has never been more pressing.
Louise joined KPMG in 2021. Her role is to ensure the information security strategy aligns to business need and to create a strong security philosophy within the organisation, where all employees understand the importance of security and adhere to KPMG’s security protocols. Prior to working at KPMG, Louise was Global Cyber Security Education and Awareness Senior Manager at Unilever.