Cyber theft costs corporate America dearly—to the tune of $8.64 Million per incident, according to a report sponsored by IBM, conducted independently by Ponemon Institute LLC. Yet most companies don’t realize how exposed they are. They assume their state-of-the-art technology systems and written policies protect them. That’s a mistake. Their biggest exposure rides up and down the elevator every day—their employees. Companies think that running employees through mandatory training modules a few times a year means they’ve got cybersecurity covered. They couldn’t be more wrong.
Case in point: New York State’s Department of Financial Services (DFS) just issued compulsory regulations for financial institutions to assess their cyber risk and design a cybersecurity program to address it, effective January 1, 2017. But in truth, regulators have been insisting on training for years—and companies have complied—yet cyber breaches are on the rise. Why? Because no one is looking at the qualitative aspects of training to determine whether they really work.
They don’t. According to AT&T’s Cyber Insights Report, 62% of companies admitted they suffered security breaches in 2015, and 75% of the Fortune 500 companies were attacked by cyber adversaries. CRN notes that data breaches and security incidents overall are up 49% over last year.[1] How does it happen? Through a gaping hole in training—companies mistakenly presume that a 15-minute vendor’s training session, followed immediately by a short test, suffices. They report to their board that they have the cybersecurity problem covered, lulling everyone into a false sense of confidence. But they are woefully incorrect—employees’ retention is short, and evidence suggests they forget most of what they learned within a day or two. And compounding the problem, boards can now be held liable for the risk and financial and reputational liability that ensues from a cyber breach.
A new training model is needed—one that uses instinctive, active learning techniques to change behavior permanently, encompassing persuasion methods (that have proven effective in advertising), micro bursts of learning, and internal social media channels. One such example derives from the pioneering work of Henry L. Roediger, III, Ph.D, the James S. McDonnell Distinguished University Professor at Washington University in St. Louis.
It’s fairly safe to say that most employees don’t sit at their desks planning how they can hack their companies’ data. But these same people may nonchalantly plug a thumb drive into a corporate computer’s USB port—a simple act that can have disastrous consequences.
Email is another prime culprit—and it comes in the form of rogue content, secretly installing viruses, and archiving sensitive data rather than using external storage. An inbound call impersonating customer service, requesting that an employee verify account balances, is another example. Most employees wouldn’t think of giving sensitive banking information to an unverified caller—at least they shouldn’t—but may all too readily click on a link, complete a survey, and flood cyberspace with their company’s sensitive data. Failing to change passwords frequently adds to the problem—senior management is particularly culpable—and the C-Suite often balks at the nuisance of doing it. But if upper management won’t take that simple step, how can they expect their employees to do so?
Cyber threats are expensive and carry real risk—both to a company’s profits and its reputation. And 95% of them are caused by human error. It’s a real and present danger, and yet, “No one is doing diagnostics on the human element,” says Peter Schablik, Partner at WeiserMazars LLP’s Governance, Risk, and Compliance practice. “It’s a big concern. Most risk assessment consists of technology, policies and procedures, and people. Companies usually get the technology right, and they write solid procedures, but no one is looking at the people factor.”
WeiserMazars understands the enormity of the risk—and what’s involved to mitigate it. “We assess the company’s risk and then design a plan to safely manage its data that involves everyone in the company, because if it doesn’t have organizational support, the program won’t be successful. We focus much of our effort on the people part of the equation. We include robust, effective training designed to change employees’ behavior permanently, because ordinary training solutions simply don’t work,” Schablik says.