2024 Olympics Highlight Importance of Human Risk Mitigation

As the world's eyes are on Paris for the 2024 Olympic Games, a less visible competition amongst threat actors and cyber defenders has been ensuing behind the scenes. Olympic officials expected more than 15 million visitors, including 15,000-plus athletes from 200 countries, in Paris for the games -- generating an estimated €11 billion in new economic activity. The scale of the event, rapid surge in commerce, and global audience made it a highly attractive target for hacktivists and financially motivated cybercrime.  

The French government’s cybersecurity agency warned in July that ransomware attacks against officials, athletes, and volunteers would be “inevitable” during the summer games. In addition, a July 18 Forbes report citing Mandiant threat intelligence data indicated that the Olympics may face elevated risk from Russian-backed Advanced Persistent Threat (APT) groups due to France’s financial and military support for Ukraine. The Olympics will also be leveraged for phishing scams directed at everyday fans, similar to social engineering campaigns constructed around other high-profile events like the Super Bowl and Amazon Prime Day.  

The strategic targeting of Olympic infrastructure is not new by any means. The 2021 Tokyo Olympics received an estimated 450 million cyberattacks according to Cisco data. In 2018, a scarily deceptive breach in Pyeongchang, South Korea nearly shut down the Winter Games’ opening ceremony.  While “assume breach” mindsets have become commonplace across cybersecurity, the increasing normalcy of a biannual Olympic threat storm doesn’t make the attacks any less detrimental. It exemplifies the importance of prioritizing human risk mitigation as a core focus of cyber defense across all security environments. Most of the successful attacks that unfold during the Paris Olympics will involve the human element in some capacity. In 2024, human risk must be treated for exactly what it is: one of our world’s most pressing cybersecurity vulnerabilities.   

Related:AI: The Newest Player at the 2024 Summer Olympic Games

The Varying Forms of Human Risk  

The 2024 Verizon Data Breach Investigations Report found that the human element was involved in 68% of the 30,458 breaches it analyzed. Cybersecurity isn’t just a technical challenge anymore -- it’s a human issue at its core. Chief security officers (CSOs) must design their security architectures, defense strategies, and organizational training programs with this reality in mind.  

Mitigating human risk is an ongoing process that requires commitment from all levels of an organization. However, when cultivating any enterprise-wide mitigation effort, it is critical to first differentiate human risk by its four varying forms.  

Related:Paris Olympics: Let the (Cyber Aggressor) Games Begin

In this context, it’s also important to remember that the nature of malicious insider threats is not like the others. This, in turn, constitutes an entirely different approach to risk mitigation akin to a sophisticated counter-intelligence program. The process should begin with rigorous pre-employment screening and character assessments, aiming to identify individuals with a high propensity for ethical behavior and loyalty. Once hired, a layered system of checks and balances must be implemented, including the principle of least privilege, segregation of duties, and robust monitoring systems, all designed to constrain the potential impact of any single actor.  

Related:Salary Report: IT in Choppy Economic Seas and Roaring Winds of Change

Ongoing detection is the most challenging aspect of this undertaking. It involves leveraging advanced behavioral analytics, anomaly detection systems, and contextual intelligence gathering to identify subtle indicators of malicious intent. The complexity lies in the unique nature of each insider threat -- their motivations, methods, and opportunities often diverge significantly from historical patterns, necessitating a flexible and continually evolving detection strategy.  

The Simplification Effect 

Unlike malicious insiders, managing the other three forms of human risk -- negligence, error, and victims -- comes down to a common yet often overlooked theme: simplification. Complex security processes and procedures can lead to user frustration, workarounds, and ultimately, increased risk. By streamlining security measures and making them as user-friendly as possible, organizations can significantly improve compliance and reduce the likelihood of human error. This might involve simplifying password policies, implementing single sign-on solutions, or creating intuitive interfaces for security tools. The goal is to make secure behavior the path of least resistance for employees, reducing cognitive load and the temptation to bypass security measures for the sake of convenience. 

Clear, enforceable security policies provide a framework for expected behavior that is accessible to all employees. These policies should be regularly updated to reflect the current threat landscape and, in line with the principle of simplification, should be written in clear, concise language that all employees can understand and apply. In parallel, organizations must prepare for human-caused incidents with detailed incident response plans. Conducting regular drills demystifies the complex nature of incident response for non-technical employees, further ensuring all stakeholders understand their roles in the event of a breach. 

Actionable Steps to Mitigate Human Risk  

At the core of human risk mitigation is a comprehensive and company-wide security awareness training program, which should be continual, engaging, and tailored to current threats, best practices, and employee interests. This training is most effective when coupled with efforts to foster a security-conscious culture across the company, where every employee feels responsible for protecting the organization’s threat environment. By fostering a culture that encourages open communication, generates cross-functional buy-in and rewards security-conscious behaviors, CSOs and risk management leaders can significantly enhance their organization’s overall security posture to defend against evolving human-oriented threats. 

In addition, implementing robust access controls is another crucial component. This includes applying the principle of least privilege, ensuring employees only have access to resources necessary for their roles, and mandating the use of multi-factor authentication. Regular reviews and updates of access permissions help maintain the integrity of these controls. Alongside access management, continuous monitoring, and analytics play a vital role in detecting unusual behavior patterns or policy violations, allowing for swift responses to potential threats. 

While not a complete answer on its own, leveraging the right arsenal of tools and technologies can significantly support human-focused efforts. Solutions such as data loss prevention tools, endpoint detection and response systems, and advanced email filtering can provide additional layers of protection against human-centric vulnerabilities. Lastly, regular risk assessments are essential to identify vulnerabilities in processes, training, or technology that could be exploited through human error or malicious intent. These assessments should inform ongoing improvements to the organization's human risk mitigation strategies, ensuring they remain effective against evolving threats. 

By integrating these strategies and prioritizing simplification, organizations can create a comprehensive defense against human-centric cyber threats, transforming their people from a potential weakness into a unified line of defense.