Digital adoption rocketed a decade in the months during the COVID-19 pandemic, accelerating the shift to digital commerce that began in the 2010s. According to recent research, the pandemic-driven boost to e-commerce is estimated to have exceeded $200 billion in 2020 and 2021.
As a result, the retail industry has become an even higher target for cybercrime. In 2021, ransomware attacks on retailers rose 75% as U.S. consumers spent a record-breaking $1.7 trillion online in the same year.
With wide repositories of customer data and Personal Identifiable Information (PII), a successful attack on a retailer yields a significant return for a cyber attacker. Guess, Neiman Marcus and CVS Health are among the global household brands targeted and exploited by malicious actors in recent times.
As company boards and executives look to mitigate their risk of such attacks and thus begin advocating for increased spend on best-in-breed solutions, rich in automation and artificial intelligence, many fail to recognize that it’s people who still serve as the first line of defense. For retail organizations, in particular, phishing emails and social engineering continue to dominate as the most common delivery systems of attack. Given this, retailers and those in other industries could benefit from taking a more human-centric approach to address their security issues.
Security Awareness and Training (SA&T) was the most common course of action an organization would implement when working to establish more robust human defense mechanisms. Awareness training can help reduce human error and promote cross-collaboration between security teams and other organizational departments. However, these legacy security awareness programs are no longer effective, as evidenced by the fact that the human element continues to feature heavily in most breaches.
A recent Forrester Wave report explored the importance of “ABCs: Awareness, behavior, and culture” as a means to better protect against rising threats. To reduce human risk, it starts with instilling positive behavioral change among employees and ultimately altering their perceptions and attitude towards security and risk. This can be achieved in a number of ways.
Timing is Everything
On average retail workers receive nearly 50 malicious phishing emails each year. Many opportunities for an employee to mistakenly view an email as legitimate and enable an attacker to successfully penetrate into their network. With attackers increasing the frequency and scale of their email stimulations, so too should organizations. Infrequent, mass security and phishing tests, which are sent out simultaneously to all employees, fail to positively enhance security posture and change behaviors.
The problem — these don’t catch employees by surprise. They’re expected and employees react accordingly. Instead, organizations should opt to send frequent, unique types of stimulations on varying days and times. When employees get used to simulated attacks frequently, the issue stays top of mind. Repeating this over a period of time shapes new cybersecurity habits among employees.
Gamified learning is another critical component of achieving high engagement, a critical aspect of achieving lasting behavioral changes. Incorporating gamification can transform employee mindsets and result in the detection and resolution of the most sophisticated attacks.
By stimulating vulnerabilities in controlled, gamified environments, organizations can put their employees’ skills to the test and practice reducing risks in real time. It puts users in the mind of real attackers and leads to a better understanding of how to detect the most malicious attacks. In practice, it also results in an increased volume of employees reporting suspicious activity to security teams, rather than simply deleting or ignoring it.
Personalization and Variation
It is crucial to prepare employees for every type of threat. From phishing to authority impersonation and invoicing scams — the list continues to grow. Ensure that the training provided addresses both the role and skill level of each individual trainee. Personalization is key to achieving lasting cybersecurity behavioral changes. Begin to understand the most common threats and risks (both existing and future) applicable to each business area. For example, the HR function has different security challenges than sales. Putting this contextual information in play to create highly personalized programs for each person in each business segment.
Adopt a micro-training model and create short, easy-to-digest content to achieve high impact. For behavioral change, brevity is your best friend. Think TikTok for security training.
In addition, consider each employee’s skillset. Start small with easy tests, then gradually advance difficulty. The right amount of difficulty along each employee’s personalized learning path will keep them engaged and interested, which will challenge and activate them to think critically.
Even with incorporating all of the above, without positive reinforcement during training, an organization will fail to achieve desired results. When training is positive, employees become more eager to participate in developing their skills and reporting threats. Feedback and recognition are important factors within this.
When a trainee successfully detects a threat, have a system in place that provides recognition. Also, give personalized feedback. If an employee fails to eliminate a threat completely but shows a positive response throughout the process, acknowledge it.
Achieving noticeable behavioral changes takes time, effort and dedication. Challenging the notion that people are the weakest link in organizations and adopting behavioral change platforms will create a strong human detection engine, one of the most impactful ways to lower organizational risk.