Cyber attacks aren’t just getting more frequent, they are also becoming significantly more vicious and sophisticated. According to the latest 2019 figures from the Ponemon Institute’s “Cost of Data Breach” study, the average cost of a data breach has reached nearly $8.64 million in the US, alone. Yet today’s cyber attacks have far-reaching negative impacts that continue to ripple outward long after the initial financial losses. These indirect damages include a tarnished brand reputation, lost relationships, and possible legal liability.
Cyber criminals count on the fact that busy people perform hundreds, if not thousands, of daily actions on a computer or device connected to the internet and they know that most of those actions are performed automatically and without much thought. As a result, the majority of today’s data breaches result from human error, making cybersecurity a “people problem” as well as a technology issue.
The solution to this people problem goes beyond IT and involves cultivating an entirely new employee mindset around cybersecurity – one that is motivated by more than facts and fear, one that is based on continually raising awareness and putting secure actions and decisions at the forefront of the company culture.
Make People Care about Cybersecurity
A key element of building an effective human firewall is to make employees care about cybersecurity. Many companies make the classic training mistake of pushing lots of information at their employees without first taking the time to help them understand why the topic matters or why it should be relevant to them.
If employees don’t care about a subject, they won’t take the time to absorb the information you’re providing, no matter how comprehensive or accurate.
Any effective cybersecurity training program must start with this human element – for example, mining behavioral psychology research and the art of persuasion for tactics and techniques that get employees invested in the subject and help them become more receptive to the learning or awareness activities that follow. For instance, peer-to-peer recognition and group norms can be a powerful influence. Personal and direct language like “we’re counting on you” and “it’s up to all of us,” along with comments by managers and company leaders can help convince employees that cybersecurity is important to the company and deserves their attention.
Build Awareness and Knowledge
Once people care, it’s possible to start building a level of awareness and knowledge that will ultimately drive real change in individual and group behaviors over time. Here, it’s important to design a program based on methods that actually work, rather than a “one and done” approach that simply ticks the “training” box. Unfortunately, traditional training methods are not enough to effectively protect against this threat because, unlike other risks an organization faces, this one requires every employee to be in a constant state of alert. Employees must adopt a questioning attitude that will affect every action they perform each day.
Advanced learning techniques draw heavily on the recent research into brain science, behavioral psychology, and persuasion – techniques that really work to influence or redirect individuals to a desired outcome. The most effective awareness campaign incorporates up-to-date, research-based techniques like:
– Active practice – asking the audience to apply the concepts, instead of passively receiving the information.
– Spaced retrieval—fast learning leads to fast forgetting, while long-term retention results from information being retrieved regularly over a period of months to strengthen the pathways to permanent retention.
– Interleaving—presenting previous concepts interleaved with new concepts to expose the brain to a combination of events that closely relates to everyday experiences.
– Memory cues – taking advantage of the way human brains create memories to make concepts stick, by using mnemonics, vivid images, analogies, rhymes, or slogans.
Effective awareness also draws from other persuasive fields that specialise in getting targeted messages across, like advertising. Modern communication incorporates tried-and-true advertising principles like make it short; make it personal and make it engaging.
Measure and Monitor
When driving behavior change, there is no magic bullet. Progress will happen over time, and different methods will prove more or less effective for a particular company, culture, risk profile, and employee base. As a result, creating and deploying a research-based, best practice cybersecurity awareness program to employees is just the first step. Programs also need to be updated over time to reflect new risks, technologies, and threats. They should be carefully reviewed and measured – not just once, but systematically over time – to identify, implement, and test possible improvements that might make the program even more effective.
According to the NIST guidelines, CIOs, IT managers, and anyone else responsible for planning and deploying cybersecurity programs to employees should be “primary advocates for continuous improvement.” These program owners should regularly monitor progress, measure results, and plan improvements or adjustments to the program that make the program more effective—as measured by results—for the employees receiving it.
Over time, measuring and monitoring should become even more nuanced and sophisticated. As a minimum, companies should deploy an annual (or bi-annual) survey that tracks attitudes, awareness, and knowledge of key cybersecurity risks, as well as an employee’s level of confidence that he or she has the information needed to work securely. Repeating the same questions year on year will help demonstrate progress – or lack of it – as the program unfolds.
Most companies fall somewhere along a continuum when it comes to creating an effective human firewall and mitigating the risk human error poses in a potential cyber breach. To assess the effectiveness of a company’s current approach, it’s important to measure employee awareness, attitudes, knowledge, and motivation regarding the cybersecurity materials, policies, and trainings they have provided. Carefully crafted survey questions are an invaluable tool for helping companies through this assessment process.
Used properly, the three key elements described above can cultivate a culture of cyber awareness where employees recognize and avoid risky situations and take action as instinctively as reaching for a seatbelt when they start a car. Cybersecurity awareness solutions, when coupled with sound teaching techniques and motivated employees, don’t just arm people with knowledge – they equip and empower employees to put that knowledge to use in ways that make sense and that fit in with how they perform their jobs.
When employees are properly prepared to participate in their company’s cybersecurity program, they will be strongly motivated to safeguard company systems and information, recognizing that they play an important role in keeping data and systems safe and secure.
When fully engaged, this creates a formidable human firewall capable of spotting and preventing even the most sophisticated cyber crime attempts, and offers a significant step towards mitigating the human error behind 95% of the cyber breaches occurring today.
By Peter Schablik, and Scott M. Higgins, Partners, Mazars USA, and A. Stewart Rose, President, ThreatReady Resources