Professor of Management Practice
As we start another Cyber Security Awareness Month, it’s worth reflecting on what we've both accomplished and failed to achieve in protecting our digital environments.
Over the last 20 years, technological advances have transformed cyber security. We now have advanced firewalls, multi-factor authentication, AI-driven threat detection, and zero-trust architectures. We have significantly raised technical as well as human abilities to withstand cyber onslaught.
Yet, despite the immense growth of cyber capabilities, people, not technology, are still the most exploited vulnerability in any security system. Two decades ago, Mitnick and Simon (2003) wrote about the art of manipulating humans to provide access to systems – and this remains true today. Unfortunately, for all our leaps in technical protections, cyber criminals continue to exploit human behaviour. Sophisticated social engineering schemes and human exploits still account for most successful breaches.
Manipulating human trust
Consider, the example, the infamous 2020 Twitter hack, whereby high-profile accounts – including those of Elon Musk and Barack Obama – were compromised. This wasn't a complex technical exploit but a successful social engineering attack. Hackers posing as trusted colleagues convinced Twitter employees to provide access to internal systems. Despite the platform's robust technical defences, a simple manipulation of human trust enabled the breach.
Interconnected ecosystem
The recent Cloudflare incident is a stark reminder of the interconnectedness of modern digital systems. A user at Cloudflare’s business partner, Okta, exposed credentials while logging into a personal account from a work-managed laptop. A single negligent action compromised hundreds of other organisations, including Cloudflare itself, which in turn exposed millions of Cloudflare’s end-customers.
This incident underscores the fact that, although the software that organisations use may come from a single vendor, the ecosystem running and protecting the system involves software components from many different organisations. This interconnectedness can keep the system healthy and efficient – until it doesn’t.
The digital world is an intricately woven mesh of interdependencies. One careless action can bring global commerce to its knees. Over the last two decades, investments in technology and human awareness have protected many organisations from misery. But can we prevent the domino cause-and-effect from reaching every software system? Recent advances in AI have led to increasingly sophisticated technical and human attacks. At the same time, more advanced technical cyber defence capabilities are able to defend most, if not all, technical attacks successfully.
Cyber security training
Cyber security training has moved beyond occasional, checkbox-style compliance courses, with continuous and engaging content. KnowBe4’s The Inside Man is gripping and educational at the same time. We are starting to monitor more leading cyber success KPIs, like measuring how prepared employees are to deal with phishing attempts or social engineering tactics. Real-time phishing simulations, gamified security training, and integrating security awareness into onboarding and annual reviews have made a significant difference. Yet, the threats keep evolving. Deepfakes and AI-augmented phishing attacks present new challenges.
Have we given the same attention to building intrinsic defences, such as critical thinking, situational awareness, and a security culture that treats every individual as a first line of defence? Or have we done our bit, and it’s simply a war we can never win?
Investing in cyber security
It's a well-known fact among business leaders that human-intrinsic defences require as much investment as technological ones. The need to continuously update human skills and awareness, just as we update our firewalls and antivirus software, is crucial to keep pace with evolving threats. As we step into Cyber Security Awareness Month, the question arises: should we focus on developing more security-oriented employees, or accept that, when humans work in our organisations, breaches will happen? The answer seems straightforward: the cyber investment should be directed towards setting up response capabilities to deal with the inevitable.
Moving beyond awareness
Many cyber technologies developed over the last decade address disaster recovery and redundancy to provide continuity when a cyber event happens. The business opportunity resides in embracing the human-directed response capabilities emphasised in new regulations like NIS2. Cyber Resilience capabilities should be developed to, for example, set up cross-functional incident response teams and capabilities, focus on the human element, and move beyond awareness.
By 2025, we should honour Cyber Resilience Month rather than Cyber Security Awareness Month. Let’s move the focus to where the biggest impact could be made: namely, people and response capabilities to complement the cutting-edge technical protection and identification capabilities.
More info? Annelies Claeys will be happy to answer all your questions: annelies.claeys@vlerick.com or +32 (0)9 210 98 04.