Attackers target people, not machines. That\u2019s why organizations are gradually shifting from a technology-centric to a human-centric cybersecurity approach.<\/p>\n\n\n\n
Traditional cybersecurity software protects data by monitoring user activity, restricting employees\u2019 access to certain resources, and blocking phishing emails. However, such software can\u2019t fully protect an organization from security events caused by human errors.<\/p>\n\n\n\n
So instead of emphasizing restrictive security controls, businesses are putting more effort into:<\/p>\n\n\n\n
- \n
- Providing relevant cybersecurity education for employees<\/li>\n\n\n\n
- Emphasizing employees\u2019 accountability for their actions<\/li>\n\n\n\n
- Showing workers that an organization trusts them<\/li>\n<\/ul>\n\n\n\n
This is where people-centric security comes into play.<\/p>\n\n\n\n
![\"people-centric-security-definition-gartner\"\/](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/people-centric-security-definition-gartner.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Definition of people-centric security by Gartner<\/a><\/em><\/p>\n\n\n\n
People-centric security<\/span> is an approach that treats people as an important security perimeter. Its main principle is enabling each employee to have autonomy in handling information, using devices, and adopting security measures.<\/p>\n\n\n\n
When discussing people-centric security (PCS), cybersecurity specialists often refer to this approach using the following terms:<\/p>\n\n\n\n
- \n
- People-centric security approach<\/li>\n\n\n\n
- People-centric security framework<\/li>\n\n\n\n
- People-centric security strategy<\/li>\n\n\n\n
- Human-centric security<\/li>\n\n\n\n
- You-shaped security<\/a><\/li>\n<\/ul>\n\n\n\n
In this article, we use these terms as synonyms.<\/p>\n\n\n\n
While promoting trust in employees and making them responsible for the security of corporate data they work with, PCS doesn\u2019t cancel the need to verify that employees follow recommended cybersecurity practices.<\/p>\n\n\n\n
Just like in a conventional technology-centric approach to security, in PCS, users still have a particular set of access rights depending on their position, work routine, and responsibilities. However, within the PCS framework, employees are more aware of possible vulnerabilities, cybersecurity incidents, and their consequences. Also, employees are ready to take responsibility for their actions.<\/p>\n\n\n\n
There are seven principles<\/span> that should govern the increased rights and responsibilities of employees under a people-centric security framework:<\/p>\n\n\n\n
- \n
- Accountability<\/span> \u2014 Owners of information must be accountable for protecting it.<\/li>\n\n\n\n
- Responsibility<\/span> \u2014 Employees must take responsibility for how they handle data, use devices, etc.<\/li>\n\n\n\n
- Autonomy<\/span> \u2014 Organizations should provide workers with trust and enable self-governance.<\/li>\n\n\n\n
- Immediacy<\/span> \u2014 Inappropriate behavior always should be followed by an adequate response: punitive actions, educational program enhancements, etc.<\/li>\n\n\n\n
- Community<\/span> \u2014 All employees within an organization should maintain and support a positive cybersecurity culture.<\/li>\n\n\n\n
- Proportionality<\/span> \u2014 Control measures have to be proportional to the risks: the higher the risks, the stronger the controls.<\/li>\n\n\n\n
- Transparency<\/span> \u2014 Organizations should verify employees\u2019 attitudes with user monitoring solutions and provide feedback on what to improve to reduce cybersecurity risks.<\/li>\n<\/ul>\n\n\n\n
![\"core-principles-of-people-centric-security\"\/](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/core-principles-of-people-centric-security.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Within a modern cybersecurity program, human-centric security should go hand in hand with traditional perimeter and access control security<\/span>. Only by combining the PCS approach with robust user cybersecurity software can organizations enhance their data and system security.<\/p>\n\n\n\n
Insider Threat Management<\/a><\/p>\n\n\n\n
Why do you need human-centric security?<\/h2>\n\n\n\n
Security that doesn\u2019t work for people doesn\u2019t work.<\/em><\/p>\n\n\n\n
Implementing PCS into your work environment means making employees a cybersecurity shield for your organization. But is it really worth the effort?<\/p>\n\n\n\n
Let\u2019s define the three ways you can benefit from deploying a people-centric approach to cybersecurity:<\/p>\n\n\n\n
![\"3-reasons-to-apply-a-human-centric-security-approach\"\/](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/3-reasons-to-apply-a-human-centric-security-approach.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
1. Create a secure perimeter that isn\u2019t covered by cybersecurity software<\/span><\/p>\n\n\n\n
Hackers continually find new ways to manipulate both humans and systems. Because of this, organizations need to revise cybersecurity measures and update their tools each time they learn of a new threat. However, this doesn\u2019t always provide employees with enough awareness and can\u2019t protect organizations from social engineering attacks.<\/p>\n\n\n\n
For example, phishing campaigns may be so advanced they can easily bypass email filters and cybersecurity tools. Thus, it\u2019s up to users to be extremely attentive with emails they receive.<\/p>\n\n\n\n
It\u2019s essential to understand that well-trained staff is an important part of any cybersecurity defense. When properly educated and nurtured in a healthy cybersecurity environment, employees can:<\/p>\n\n\n\n
- \n
- Use an organization\u2019s networks and devices responsibly<\/li>\n\n\n\n
- Carefully handle the data they work with<\/li>\n\n\n\n
- Wisely access internet resources<\/li>\n\n\n\n
- Know how to securely share data through cloud-based solutions<\/li>\n\n\n\n
- Successfully identify phishing emails<\/li>\n<\/ul>\n\n\n\n
2. Understand the context behind user actions<\/span><\/p>\n\n\n\n
Although user activity logs provided by employee desktop monitoring software<\/a> often help cybersecurity officers detect suspicious activity, they can\u2019t help officers understand people. And to truly understand people, you need to know their intentions \u2014 what\u2019s behind their actions.<\/p>\n\n\n\n
Knowing the context behind user actions is important, especially when tasks may require creative solutions. In such situations, unusual employee activity \u2014 launching new applications or spending more time interacting with certain data than usual \u2014 might seem suspicious but not bring any threats.<\/p>\n\n\n\n
Also, context can make it clear whether a user performed an inappropriate action by accident or with malicious intent.<\/p>\n\n\n\n
Context can be related to data, user activity, and possible threats. By analyzing it, organizations can faster detect and respond to potential threats as well as make informed decisions on existing cybersecurity measures.<\/p>\n\n\n\n
<\/figure>\n\n\n\n
<\/p>\n\n\n\n
3. Improve the security of remote work<\/span><\/p>\n\n\n\n
PCS isn\u2019t a new trend<\/a>, but in 2020, it found a new lease on life. With the need to shift to remote work, businesses switched their cybersecurity focus from machines to humans.<\/p>\n\n\n\n
Cybersecurity officers usually consider remote employees<\/a> a significant risk for corporate data and systems for numerous reasons:<\/p>\n\n\n\n
![\"major-security-issues-related-to-remote-workers\"\/](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/major-security-issues-related-to-remote-workers.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
While traditional cybersecurity tools help to handle some of the issues mentioned above, the PCS approach provides remote employees with much more awareness of cybersecurity risks and their consequences. Thus, employees are more likely to follow an organization\u2019s cybersecurity policies even when working from home.<\/p>\n\n\n\n
Human-centric security goes far beyond ordinary cybersecurity training. Conventional training gives no guarantee that employees won\u2019t forget or neglect certain practices, especially when they\u2019re overwhelmed with work. Meanwhile, PCS concentrates on employees\u2019 responsibilities and teaches them to be more cautious about potential cybersecurity issues, especially when they\u2019re working remotely.<\/p>\n\n\n\n
Remote Employee Monitoring: How to Make Remote Work Effective and Secure<\/a><\/p>\n\n\n\n
How to implement PCS in your organization?<\/h2>\n\n\n\n
Be ready to commit.<\/em><\/p>\n\n\n\n
There\u2019s no one-size-fits-all plan on how to enhance an organization\u2019s cybersecurity with PCS. However, there are three<\/span> major steps that will help you shift your cybersecurity focus from machines to people.<\/p>\n\n\n\n
![\"3-steps-to-implement-pcs-in-your-organization\"\/](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/3-steps-to-implement-pcs-in-your-organization.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
1. Create an environment for people-centric security<\/strong><\/span><\/p>\n\n\n\n
One of the key ideas of PCS is to allow employees to make risk-based decisions. To achieve this goal, you need much more than traditional security awareness and training.<\/p>\n\n\n\n
Concentrate on creating a work environment<\/a> for people-centric security, in which employees:<\/p>\n\n\n\n
- \n
- Comprehend cybersecurity threats and their consequences<\/li>\n\n\n\n
- Understand the necessity of following recommended cybersecurity practices<\/li>\n\n\n\n
- Are willing to take personal accountability for their actions<\/li>\n\n\n\n
- Know the company trusts them and provides relevant controls to manage their security<\/li>\n\n\n\n
- Communicate freely with executives and security officers on cybersecurity topics<\/li>\n\n\n\n
- Have access to corporate educational materials that are tailored to different audience profiles and are regularly updated to address common mistakes, new threats, etc.<\/li>\n<\/ul>\n\n\n\n
![\"what-do-you-need-to-create-environment-that-promotes-pcs\"\/](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/what-do-you-need-to-create-environment-that-promotes-pcs.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
2. Foster a culture of cybersecurity<\/strong><\/span><\/p>\n\n\n\n
An organization\u2019s security culture can impact the organization in multiple ways, negatively or positively affecting compliance, the number of vulnerabilities, the likelihood of cybersecurity incidents, and the organization\u2019s financial state.<\/p>\n\n\n\n
You can evaluate your current security culture by assessing the following seven elements and finding areas for improvement:<\/p>\n\n\n\n
![\"](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/7-elements-to-evaluate-your-current-security-culture.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
According to the Security Culture Report 2020 by KnowBe4, Inc. [PDF]<\/a><\/em><\/p>\n\n\n\n
Once you\u2019ve performed this evaluation, you can start working on your cybersecurity culture. There are different approaches to develop it. Let\u2019s take a look at the following six-step framework offered by the European Union Agency for Cybersecurity<\/a>:<\/p>\n\n\n\n
![\"6-step-framework-to-develop-a-cybersecurity-culture\"\/](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/6-step-framework-to-develop-a-cybersecurity-culture.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
3. Make PCS a long-term commitment<\/strong><\/span><\/p>\n\n\n\n
Establishing a healthy cybersecurity culture and an environment for people-centric security is a long process that requires thorough planning, continuous employee education, and regular evaluation of the results. If your organization aims to adopt the PCS approach, you should be ready to commit.<\/p>\n\n\n\n
This strategic commitment<\/a> could take the following forms:<\/p>\n\n\n\n
- \n
- Choosing a fitting methodology, tools, and evaluation methods on your own<\/li>\n\n\n\n
- Hiring a management consultant who specializes in cybersecurity culture and driving business change to help you<\/li>\n<\/ul>\n\n\n\n
The first method may be time-consuming at the beginning, since your cybersecurity officers will have to explore the PCS approach in detail. On the bright side, it will give you a clear picture of all the options available and a deeper understanding of the value of PCS.<\/p>\n\n\n\n
Hiring an experienced consultant will definitely save your time and allow you to start implementing the PCS approach much faster. However, it will require additional funds.<\/p>\n\n\n\n
An HVAC Service Provider Secures Data and Maintains Employee Productivity after Switching to Remote Work [PDF]<\/a><\/p>\n\n\n\n
4 key elements of securing remote work with a people-centric approach<\/h2>\n\n\n\n
Let\u2019s explore practices and tools that will help you in establishing a beneficial human-centric security framework within your organization.<\/p>\n\n\n\n
![\"4-key-elements-of-establishing-pcs\"\/](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/4-key-elements-of-establishing-pcs.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
1. Customized security training<\/strong><\/span><\/p>\n\n\n\n
The major goal behind customized security training is to help employees:<\/p>\n\n\n\n
- \n
- Understand common risks, threats, and their consequences<\/li>\n\n\n\n
- Be prepared for industry-relevant threats<\/li>\n\n\n\n
- Always follow cybersecurity practices<\/li>\n\n\n\n
- Be able to recognize social engineering attacks and other threats<\/li>\n<\/ul>\n\n\n\n
A great way to achieve this goal is to personalize training and all the cybersecurity materials your employees are asked to get familiar with. By customizing training for the specifics of your organization and the routines of different types of users, you can help employees recognize themselves and better grasp useful information. When information is standardized and bland, employees tend to get bored and lose attention.<\/p>\n\n\n\n
Microsoft has prepared the following six helpful tips<\/a> to enhance your security training strategy with a people-centric approach:<\/p>\n\n\n\n
![\"microsoft-6-tips-for-enabling-pcs-with-security-training\"\/](\"https:\/\/www.syteca.com\/wp-content\/uploads\/2023\/04\/microsoft-6-tips-for-enabling-pcs-with-security-training.jpg\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
2. Artificial intelligence (AI) and machine learning (ML) tools<\/strong><\/span><\/p>\n\n\n\n
Both AI and ML technologies are already used in cybersecurity software to detect potential threats and mitigate hacker attacks. However, they can also be applied to help employees learn an organization\u2019s security rules and reduce cyber risks related to human factors.<\/p>\n\n\n\n
As part of robust user activity monitoring software<\/a>, AI and ML can:<\/p>\n\n\n\n
- \n
- Monitor user behavior<\/li>\n\n\n\n
- Detect cybersecurity violations and potentially dangerous actions<\/li>\n\n\n\n
- Trigger user notifications of security violations<\/li>\n<\/ul>\n\n\n\n
Some cybersecurity solutions allow for configuring notifications that educate users on detected violations. Thus, such technologies can gradually change user behavior towards security and foster a cybersecurity culture within an organization.<\/p>\n\n\n\n
3. Simulated social engineering attacks<\/strong><\/span><\/p>\n\n\n\n
Organizations often use simulated social engineering attacks to check how well employees have grasped cybersecurity training. These attacks can include phishing, pretexting, and baiting.<\/p>\n\n\n\n
For example, you can create phishing emails that are harmless but that help you see how employees will behave during attacks. This allows you to learn why employees act insecurely, and you can use this information to personalize your security training and cover gaps in your human cyber shield.<\/p>\n\n\n\n
Although the click rate will give you some indication of organizational vulnerability and an idea of how effective your security training is, you shouldn’t strive to receive the perfect score. Making the click rate the key marker is wrong because anyone can be phished; it just takes the right email, at the right time, in the right situation.<\/p>\n\n\n\n
4. Communicating risks<\/strong><\/span><\/p>\n\n\n\n
Risk assessment is the basis of any security program. By determining and evaluating risks relevant to your organization, you can effectively adjust your cybersecurity strategy to combat possible threats. However, this helpful information shouldn\u2019t only be used by C-level executives and security officers.<\/p>\n\n\n\n
PCS can succeed only when all employees have enough tools and knowledge to be a true cyber defense for an organization. Consider risk assessment reports as material that can be reworked into helpful brochures and slides for the next security training.<\/p>\n\n\n\n
When exploring the real facts and numbers, employees begin to treat cybersecurity like a real thing, not a hypothetical danger. Thus, they\u2019re more likely to change their attitudes and behaviors, which will help you build a strong cybersecurity culture within your organization.<\/p>\n\n\n\n
Insider Threat Risk Assessment: Definition, Benefits, and Best Practices<\/a><\/p>\n\n\n\n
How can Syteca assist you with people-centric security?<\/h2>\n\n\n\n
Syteca<\/span> is a comprehensive insider risk management platform that helps organizations detect and prevent insider threats. In addition, it allows you to immediately respond to potential incidents and provides detailed context for their further analysis.<\/p>\n\n\n\n
In terms of people-centric security, you can use the Syteca platform to:<\/p>\n\n\n\n
- \n
- Monitor user activity<\/a> of in-office and remote employees to know who accesses what<\/li>\n\n\n\n
- Set warning messages on violations to help users better learn your organization\u2019s cybersecurity rules<\/li>\n\n\n\n
- Detect abnormal user activity<\/a> and mitigate a potential risk before it turns into an incident by leveraging AI-based user behavior analytics<\/li>\n\n\n\n
- Analyze essential user activity data with extensive customized reports<\/a><\/li>\n<\/ul>\n\n\n\n
Syteca can also help you comply with major cybersecurity regulations, laws, and standards like NIST 800-53<\/a>, SWIFT CSP<\/a>, HIPAA<\/a>, GDPR<\/a>, FISMA<\/a>, and PCI DSS<\/a>.<\/p>\n\n\n\n
- Monitor user activity<\/a> of in-office and remote employees to know who accesses what<\/li>\n\n\n\n
- Responsibility<\/span> \u2014 Employees must take responsibility for how they handle data, use devices, etc.<\/li>\n\n\n\n
- Accountability<\/span> \u2014 Owners of information must be accountable for protecting it.<\/li>\n\n\n\n