Human risk now biggest cybersecurity threat, report finds

Cybersecurity experts who focus solely on technology may be looking for threats in the wrong place, as the transition to hybrid and fully remote work environments has significantly heightened the human risk, according to a report from SANS Security Awareness.

“People have become the primary attack vector for cyber-attackers around the world,” said Lance Spitzner, security awareness director for the cybersecurity training provider. “Humans rather than technology represent the greatest risk to organizations, and the professionals who oversee security awareness programs are the key to effectively managing that risk.”

Two factors drive the increase in human-based risk: Organizations are not recruiting outside security awareness talent, and hackers are aware of organizations’ increased human risk and take advantage of this weakness by creating sophisticated attacks that even the most advanced security software cannot detect.

The report analyzed data from more than 1,000 security awareness professionals worldwide. Among the key findings:

• Nearly 7 in 10 security professionals are spending less than half of their time on security awareness. Security awareness responsibilities commonly are assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.
• The average reported salary for U.S. security training professionals was $110,309, an increase from 2021. However, full-time professionals were paid an average of $86,626, while those who are part-time averaged $117,584. This is because people dedicated part-time to security awareness have their compensation based on other responsibilities, which are usually more technically focused.
• The three top reported challenges for building a mature awareness program were a lack of time for project management, limits on training time to engage employees, and lack of staffing.
• The top two reported impacts were the challenge of a more distracted and overwhelmed workforce and a working environment where human-based cyberattacks have become more frequent and effective.
• Strong leadership support, increased team size and higher training frequency topped the charts as key enablers to program success.

The report also identified three action steps to increase program success:

• Speak in terms of managing risk, not compliance. Explain why you are doing something, not what you are doing. Create a sense of urgency by using data, and communicate value by demonstrating alignment with leadership’s priorities.
• Document and contrast how many people on the security team are focused on technology compared with how many are focused on human risk. Create a document to fully explain personnel needs, and build partnerships with key departments that can help develop ways to communicate the program’s value.
• Communicate to, interact with or train the workforce at least once a month. Keeping training simple and easy to follow is the key to increasing opportunities to engage and train the workforce.

“The most mature security awareness programs not only change their workforce’s behavior and culture but also measure and demonstrate their value to leadership via a metrics framework,” Spitzner concluded. “Organizations can no longer justify an annual training to check the compliance box, and it remains critical for organizations to dedicate enough personnel, resources and tools to manage their human risk effectively.”