First off, what is human activated risk? Human activated risk is introduced by human behaviors or actions, through coercion by bad actors, human error or malicious intent. The interaction between people and technology is rarely perfect. Technology can malfunction or not work as it’s supposed to, but in many cases, the fault is with the person operating it. Whether through carelessness, malicious intent, or being tricked by a third party, humans can knowingly and unknowingly create massive amounts of risk that security teams need to manage.
We surveyed 600 IT security leaders across a broad range of industries to better understand their understanding of Human Activated Risk and, in turn, their organizations' security posture in this enhanced threat environment. More than half of respondents (56%) feel their non-technical staff are either just somewhat prepared, or not at all prepared for a security attack.
Many organizations seem to be taking the approach of bringing more software in to address problems beyond their control and hoping it gets better, with more than 39% of organizations having 6 or more security solutions deployed. Additionally, 77% of respondents have seen an increase in security compromises since going remote 2 years ago, creating more risk to dispersed, virtual organizations.
Other significant research findings include:
- 30% of IT leaders polled either don't have or don't know if their organization has a solution to detect accidental data loss from misdirected emails.
- 60% of the survey respondents feel the active security they have in place still presents them with a challenge.
- Almost 30% of those polled (+/- 180 IT leaders) don't understand what human activated risk is.
The top attacks by rank are:
- Accidental data loss via human error
- Employee spear phishing
- Business email compromise
The takeaway is that human activated risk can be both innocent and malicious, the result of not paying attention to an action before completing or deliberately using information for mal-intent. In today’s fragile, global world, organizations truly need to prioritize defending against human activated risk. While cybersecurity teams need to continue to reinforce education, they also have to make sure the technology they bring into an organization is relevant and will help reduce risk.