We have all been served by a surly retailer whose made us feel that their job and life would be easier, if it weren’t for the customers. Alas, sometimes it feels the same applies in cybersecurity. Life would be so much better, if not for those pesky employees.
We all know the stats – employees are the biggest cybersecurity risk. A joint study from Stanford University Professor Jeff Hancock and security firm Tessian revealed that nine in 10 (88%) data breach incidents are caused by employees’ mistakes. And this is costly. Research from Ponemon found that, in 2020 alone, data breaches cost a business an average of $3.86 million.
To date, businesses have tried to mitigate against this threat with awareness, training and policies. But as the statistics clearly demonstrate, this isn’t always effective. The situation hasn’t been eased by the COVID-19 pandemic.
Approximately a year ago, countries were thrown into lockdown with little to no notice. Employees immediately needed access to company data and systems from their own homes. In businesses with minimal or no existing remote working capabilities, IT and security teams needed to rapidly roll out solutions, carefully balancing reducing risk with usability.
Locking everything down too tightly may tempt employees to try and find workarounds so that they can just get on with their jobs, an effect which could only be exacerbated when everyone was under increased pressure and trying to adjust to the situation. Risk appetites had to be adjusted enable BAU to continue and it was key to give data-driven insight for leadership so they could manage this with all the facts in their possession.
As the lines between home and work continue to blur and everyone is feeling the pressure of the ongoing global situation, it becomes easier to make mistakes, potentially opening the door to attackers. People can be an excellent defense against attacks when they are well trained and not subject to undue stresses, so in these challenging times its important businesses take care of their teams, so they can help take care of the business. A key way to address this is actively measuring the cyber-awareness culture.
A cyber-awareness culture
A cyber awareness culture is not about the psychology of human errors. By that I mean it’s not about delving into ‘why’ employees are not following policies, or ‘why’ they are reluctant to report mistakes they may have made. It’s about moving away from blame and creating a fundamental shift in the relationship between security and users – whereby users become security assets, rather than security liabilities.
This requires empowering people to become part of the solution. And to make them care, we have to listen and empathize. If someone views cybersecurity as an imposition; something that hinders them from doing their job, then they aren’t going to prioritize giving it the respect they need. We need to engage the workforce and make security relevant for them and their job.
One way to achieve this is to come at security from identifying personal motivators. Analogies about how cyber affects them in their personal life can help make it applicable in the workforce. These types of exercises also help identify ‘champions’ – people who do ‘get it’ and are happy to help educate others in their team and drive a cyber-aware culture.
Measuring a cultural shift means going beyond the basics. We don’t know if staff are becoming more cyber aware by checking the standard metrics, such as who has completed it. The real question isn’t whether staff have completed it – moreover it’s did they engage with the training, and was it effective? More in-depth security questionnaires can help with that, and it’s not just the answers the count – it’s how quickly they identify the right response, and how their response rate changes over time to demonstrate an increasing understanding. You’ll also see cyber-awareness paying dividends when new policies are introduced, and they are embraced rather than being ignored.
Building human cyber resilience isn’t easy, but it’s a worthwhile endeavour. CybSafe, a data analytics company, explain it well in its whitepaper “Measuring Cyber Security”: Understanding an [organization]’s security culture is an integral part of understanding its overall risk profile; it’s possible, for example, for an individual to know what to do, to hold a positive attitude towards security and yet to behave in an insecure manner thanks to a corrosive culture of mistrust, individualism or unrealistic expectation.
Awareness of the human factor risk is just one element in understanding your overall security and risk posture. With this overlay information – added to a human-centric program, you’ll soon move to a positive relationship where users can be part of the solution, and a cyber awareness culture can finally be realized.