People Are An Essential Element In Your Cybersecurity Incident Response Plan
Posted: Wednesday, Jan 24

i 3 Table of Contents

People Are An Essential Element In Your Cybersecurity Incident Response Plan


While threat actors lean heavily on technology to execute cyber-attacks, much of their focus is on exploiting individuals. Focused on exfiltrating data and stealing money, criminals manipulate people through deception.

Developing a security culture that helps people identify potential threats and encourages behaviours that decrease their vulnerability to criminal behaviour is a critical element of any information security strategy. But it is also important to ensure that anyone impacted by an incident, including staff and third-party suppliers who can inadvertently open the door to malicious actors, is supported.

A Rising Incidence

Each year, the Australian Cyber Security Centre (ACSC) reports on cyber-attacks against Australian entities. And each year, report data continues to highlight how criminals focus their attacks on people. Stolen passwords, business email compromise attacks and identity compromise are the most common attacks experienced by both businesses and individuals. The latest data shows the average cost of reported cybercrime in Australia is up 14% on the previous year with a cyber security incident now reported every six minutes.

While it’s easy to place the blame on the individuals who click on a phishing email, open suspicious attachments, or click on malicious links, it’s important to understand that criminals are becoming much better at crafting convincing payloads to dupe people. The rise of generative AI might be a boon for businesses, but criminal organisations are also exploiting it to create much more convincing content for scam campaigns.

The primary focus of incident response is normally technical and operational recovery as it is most critical to supporting organisational continuity. And when the incident is contained and the damage is repaired, root cause analysis tends to finish with the identification of a phishing email or someone clicking on a fraudulent link. Deeper analysis is far less commonly undertaken to really understand why the user did what they did.

The Human Element

As team members try to keep up with increasing workloads and manage stressful situations, they may make mistakes. And in the aftermath of an incident, the individual that made the error can experience significant guilt and feel personally responsible for the incident.

Effective incident response must consider the human impact as well as the technical and operational. For example, people should be encouraged to report that they have clicked a link within a suspicious email, rather than keep quiet. If the security team is alerted promptly, even before malicious activity appears in logs or alerts, they can potentially reduce the blast radius and decrease the impact of a breach event. In cases like this, the individual should be commended for their prompt disclosure and the benefit early notification has on effective incident response.

In many incidents, the person that made the initial error might not be aware that they were the first link in the attack chain, and it’s crucial that when they are informed, they are communicated with empathy and care. While it might be easy to blame the individual, reports consistently show that about 90% of cyber-attacks are initiated by exploiting weaknesses in people. In addition, a major breach event is usually the result of multiple failed cyber controls and not the outcome of a single click. The reality is that almost anyone can be victim of a scam.

Balancing The Pressure

Organisations must also plan for how to support their people through an incident and not just focus on the technical aspects. Ensuring their incident response team is getting enough rest and their wellbeing is factored is crucial. When an incident occurs and is ultimately reported, organisations need to keep in mind the human impact of the attack – not just the person who was exploited but broader workforce team members that will have been placed under extra stress and required to work extra hours to execute processes manually while systems are unavailable.

Your organisation’s cybersecurity strategy and response plan must consider your staff. They can be significantly affected and will require care to ensure their recovery is prioritised.

Silas Barnes
Experienced information security executive specialising in modern enterprise cyber resilience with a focus on strategic offensive assurance. Extensive career in high profile network security, threat intelligence, offensive assurance and cyber incident response across critical infrastructure including transport, aviation, government, military, technology, not-for-profit and healthcare verticals. Well balanced across business engagement and technical skill domains and able to seamlessly adapt communication style to match audience requirements. Highly technical information security leader with real-world ransomware incident response exposure and a strong business focus to help organisations identify and address real risk through modern, practical offensive assurance services.
Share This