A cyber breach can devastate a company, and carries the far-reaching negative impacts that continue to ripple outward long after the initial financial losses.
Cyber criminals count on the fact that busy people perform hundreds, if not thousands, of daily actions on a computer or device connected to the internet, and they know that most of those actions are performed automatically and without much thought. As a result, the majority of today’s data breaches result from human error, making cybersecurity a “people problem” as well as a technology issue. Cyber criminals also count on the fact that at least a portion of any employee population won’t have the information or awareness necessary to fend off an attack. Fortunately, the significant risks that clicking, tapping, and browsing employees represent can be effectively mitigated with a well-thought-out and carefully delivered internal cybersecurity campaign.
The first step is to make sure that your people recognise the threat and what their role can be.
Many companies make the classic training mistake of pushing lots of information at their employees, without first taking the time to help them understand why the topic matters or why it should be relevant to them. Any effective cybersecurity programme must take this in consideration. Peer-to-peer recognition and group norms can have a powerful influence on attitudes. Personal and direct language like “we’re counting on you” and “it’s up to all of us”, can help convince employees that cybersecurity is important to the company and deserves their attention. This may induce employees to change their behaviour not only because they know the facts, but because they don’t want to let down their co-workers and employer. Once people start to care, it’s possible to embark on building a level of awareness and knowledge that will ultimately drive real change in individual and group behaviours over time.
A successful awareness campaign alerts employees to key risks, and enables them to instinctively make the right decisions when going online, using devices, and handling company information.
Note that training and awareness are not one and the same (although the two are linked), and each creates a different level of protection. An awareness programme asks employees to do much more than sit down once a year for 30 minutes, memorise a list of facts and strategies, pass a test, and move on. Instead, awareness activities integrate a deep, instinctive layer of knowledge into the automatic actions employees take as they go about their daily work. It motivates people to stop, slow down, think twice, and make wiser decisions.
Success comes about when employees are equipped with strategies, rules, and basic knowledge about cyber risks and how to mitigate them.
We know we are being effective when they understand how their actions and behaviours affect the risk of a breach, and learn the correct actions to take in order to fend off cyber-attacks and stay in compliance with company policies and procedures. Moreover, it is important to emphasise to employees that they must be in a constant state of alert, and adopt a questioning attitude that will affect every action they perform each day.
As to the methodology of any such awareness programme, advanced learning techniques draw heavily on recent research into brain science, behavioural psychology, and persuasion —techniques that have proven effective in influencing or redirecting individuals to a desired outcome. Moreover, modern communications principles can be adapted to drive the message home effectively. Keeping it short is one of them. People simply tune out anything that’s too long, instead preferring to consume information in bite-sized pieces. This means that short, engaging, well-crafted messages have the best chance of getting through and engaging your audience. Another tip is to customise the message to fit the individual. Make it about ‘them’. If you manage to keep it relevant, you will be providing a personal connection and a sense of understanding and belonging, to which they will respond more readily.
When driving behavioural change, there is no magic bullet. Progress will happen over time, and the effectiveness of different methods will vary with each particular company, its culture, risk profile, and employee base.
Creating and deploying a research-based, best practice cybersecurity programme targeting employees is just the first step.
Such programmes also need to be updated over time to reflect new risks, technologies, and threats. To assess the effectiveness of a company’s current approach, it’s also important to measure employee awareness, attitudes, knowledge, and motivation regarding the cybersecurity materials, policies, and training they have provided.
Awareness solutions, when coupled with sound teaching techniques and motivated employees, don’t just arm people with knowledge: they equip and empower employees to put that knowledge to use in ways that make sense and that fit in with how they perform their jobs. You will have a strongly motivated cohort to safeguard company systems and information. When fully engaged, this cohort creates a formidable human firewall capable of spotting and preventing even the most sophisticated cybercrime attempts.
This article first appeared in The Sunday Times of Malta on 02/06/2019. To learn more about our information security service offering click on www.mazars.com.mt/infosec