Breaking bad habits
Understanding the essential components of security awareness training.
Are your employees putting your organisation at risk? Absolutely. According to Verizon's 2022 Data Breach Investigations report, the root cause of 82% of data breaches is due to human error. From downloading a malware-infected attachment to opening up phishing mails or failing to use a strong password, unintentional actions – and sometimes, the lack of – allows cybercrime to happen. “For criminals, targeting people makes sense as it's faster, easier, and more profitable than targeting systems,” says Monique Hart, lead solutions engineer at VMwareSub-Saharan Africa. “Cyber attackers target weak points, and it’s easy to exploit human nature with diversionary tactics, such as creating a false sense of urgency or impersonating trusted people.” And, the true cost of cybercrime can continue long after a breach occurs. Be it insurance rate hikes or legal costs, reputational damage and regulatory fines, one of the most important ways to maintain a safety-first organisation is through security training and awareness.
“The whole idea of security awareness training was generated by the fact that people make silly mistakes,” says Guy Golan, the co-founder and chief executive officer of Performanta. For Golan, it’s not simply about education – creating real awareness is a psychological matter. Everyone makes mistakes; it’s a key part of how people grow and learn, and Golan’s approach to security awareness training is something he calls the ‘triple A’. “First, you need to be aware. After that, you need to acknowledge and then you need to act. So, the reality is that you need to address the awareness element first – move people from unaware to aware. Once you move into acknowledgement and take some action, that is the training element,” he explains.
Spotting the gaps
One of the biggest issues with security awareness training is that employees have unique learning styles and preferences. Because security awareness is rooted in education, one style or format may not work for the entire team – and it isn’t about clicking through a PowerPoint presentation to get to the check box at the end. “Organisations are facing a disparity in the level of awareness of their workforce,” says Golan. “The reality is that we are all different…a younger generation born into a TikTok world understands IT so when they’re absorbed into the workforce, they’re far more mature than those who haven’t been exposed to as much technology.”
Saving the C-suite
Golan believes that most organisations don’t know what they want to get out of cyber. And in the C-suite, there’s a breakage in translation between high-level executives and those who create awareness campaigns, which often means they’re not fit for purpose. “We need to ensure that awareness campaigns, as they happen, are tailor-made as they possibly can be for different people in different roles,” he says. “Right now, awareness campaigns are canvassing organisations as broadly as they possibly can and while there is a good in that, the negative is that for people to become more aware, you need to manage your security awareness training on an ongoing basis.”
People: a problem and a solution
For Golan, the solution is repetition. “It’s the rule of seven. You need to have seven repetitions for something to sit in and become as close as possible to a habit. But when an organisation deploys a security awareness campaign, it’s not done often enough or with the right magnitude…if you’re not at the level of acknowledgement, the training will be futile.”
It’s painful in the sense that organisations are spending a lot of money, ticking the right boxes because they’re running an awareness campaign, but the reality is they’re suffering more breaches than ever before.Guy Golan, Performanta
Anna Collard, the SVP of content strategy and evangelist for KnowBe4 Africa, where she drives security awareness across the African continent, believes a change to human behaviour to become more security-savvy and vigilant, a human-centric approach is needed. “This takes into account that we are social animals and creatures of habit,” she says. “Purely raising awareness levels may appeal to people’s intellectual understanding, but does not make them change their behaviour. Adapting strategies from fields such as social sciences and cyber psychology is a more effective way to address security culture.”
A human risk management programme with a people-centric approach means your workforce can become your strongest – instead of your weakest – security asset. “It starts off with the understanding that people are not machines. We need to tap into fields such as psychology, motivation, change management, and organisational culture, coupled with a lot of empathy and strong communication skills,” says Collard. Her understanding is similar to Golan in that she acknowledges the fact that you first need an understanding of the current maturity level of your organisational security culture. “You can't manage what you can't measure,” she says. “Identify areas of improvement and then work with the executives on a long-term organisational culture programme. This can’t be driven by the security team alone, but needs to be a collaborative effort between security, HR, corporate wellness, communication, and learning departments.”
In order for security awareness training to make a real impact, it cannot be prescriptive. The most powerful campaigns are the ones that create a psychological mind shift that goes beyond, ‘do not click on this link’ and recognise the risks a business wants to prevent. “It’s painful in the sense that organisations are spending a lot of money, ticking the right boxes because they’re running an awareness campaign, but the reality is they’re suffering more breaches than ever before,” says Golan. “Security awareness training should be educational and ongoing. Don’t deploy a campaign without considering the real impact. To work, it needs repetition, it should be as contextual as possible and it must align to the risks an organisation faces. It should be holistic and form a culture where everyone is contributing to the same level of security and then, you’re going to get some amazing results.”
10 steps to build a security-first culture
According to Wayne Olsen, managing executive, cybersecurity at BCX, building a security-first culture requires a combination of top-down leadership, employee education and training, and a commitment to continuously improve security practices. “Organisations should incorporate security into company values and mission statements, and drive this as a culture, not annually or monthly, but weekly,” he says. “Having a yearly cyber-awareness campaign no longer suffices. It needs to be at the forefront of every employee, every single day.”
- Establish clear security policies and procedures and communicate them to all employees.
- Assign clear security roles and responsibilities to ensure accountability.
- Provide regular security training and awareness programmes for employees to educate them about best practices and potential threats.
- Foster a culture of open communication, where employees feel comfortable reporting suspected security incidents or vulnerabilities.
- Encourage employees to practise good security habits, such as using strong passwords and being mindful of phishing attempts.
- Regularly review and update security policies and procedures to ensure they remain effective, considering new threats and technologies.
- Provide the necessary resources and tools to enable employees to follow security best practices and stay secure.
- Regularly test security controls to ensure they are working as expected and identify any areas for improvement.
- Reward and recognise employees who demonstrate strong security practices and help promote a security-first culture.
According to Amritesh Anand, VP and MD, Technology Service Group IT Infrastructure, a strong Human Risk Management (HRM) programme should be made up of five key components:
- Risk assessment
- Employee awareness and training
- Implementing clear policies and procedures
- Constantly monitoring employee adherence to the HRM policies and procedures
- Regular evaluation of the effectiveness of the HRM programme in place
While these elements provide a good overview of what HRM comprises of strategically, Anne Collard’s take on HRM is more people-centric. It starts off with, “understanding that people are not machines,” she says. “We need to tap into fields such as psychology, motivation, change management, and organisational culture, coupled with a lot of empathy and strong communication skills.”
But there’s also a third way of looking at HRM, a disruptive position that ties into the latest Forrester research, which says that the widely accepted view that ‘security is everyone’s responsibility’ is slowly becoming obsolete. Instead of businesses taking a human-first approach, Forrester’s report – The Future Of Security Awareness And Training – calls for adaptive human protection: “In the future, adaptive human protection will understand employees’ and customers’ security behaviour and decision-making; influence that behaviour in the right way at the right time; and shape technology so they avoid security missteps without having to make conscious decisions,” the report reads.
HRM success is often measured according to completion or phishing click rates, instead of actual behaviour or culture change. “We don’t have the luxury to ignore the human element in security — every security control has a human element," writes Forrester. "And we certainly can’t continue to address it in the way we have been, by training all the people on all the things all of the time. We all have limited resources in this life, at work and beyond, and we need to be smart, creative, and adaptive about it.”
* This feature was first published in the April edition of ITWeb's Brainstorm magazine.
* Article first published on brainstorm.itweb.co.za