Organisational culture as the last line of defence in cyber security
Organisational culture and behaviour change are crucial to underpin cyber security in organisations, according to Anna Collard, SVP of Content Strategy & Evangelist for KnowBe4 Africa.
Speaking during a webinar on cyber security awareness and culture in South Africa, Collard said there was room for improvement in cyber security culture, and that organisations needed to focus on inspiring behavioural change within their ranks.
Collard said the ITWeb KnowBe4 South African cyber security culture survey found that cyber security culture is important to most respondents. In the study, 72% of respondents said they currently run a security awareness and culture programme, and 28% do not. Just over a third (35%) do not measure their security culture programme. Those who do measure it, look mainly at metrics such as phishing simulations and incidents reported by end users.
Half had experienced an increase in social engineering attacks in the past 12 months, and 55% said they were getting more reports of users being targeted on mobile phones and chat applications.
“This aligns with a larger survey by Forrester two years ago, in which 94% of respondents said security culture is good for business. But in that survey, we asked how they would define security culture, and found there were a variety of perceptions around what security culture means. Responders’ views of what constitutes security culture ranged from levels of compliance through to user behaviour and awareness of security.”
The definition of security culture remains a challenge, said Collard. "If our perceptions vary, it is very difficult to measure and monitor security culture.”
A poll of webinar participants asked ‘How would you define security culture?’. Respondents chose 'Security awareness & understanding' (5%), 'Level of compliance' (2%), 'People’s sense of responsibility & accountability for security' (16%), 'People’s attitudes towards security' (11%) and 'All of the above' (63%).
Collard said ‘all of the above’ was in fact the correct answer.
Awareness is not enough – people have to change their behaviour and organisations need to equip employees to do the right thing,Anna Collard, KnowBe4 Africa.
“There are seven accepted criteria for security culture which can be measured: attitudes, behaviours, cognition, communication, compliance, norms and responsibilities,” she said.
In December/January, KnowBe4 ran another poll, amongst end users across eight African countries. The outcomes, presented in the KnowBe4 African Cybersecurity & Awareness Report 2021, found that in South Africa, 23% said they were affected by cyber crime while working from home, but only 34% were very concerned about cyber crime.
Among those affected by cyber crime across Africa, 33% fell victim to social engineering, 13% had accounts hacked, and 11% reported viruses. In South Africa, 34% who were affected by cyber crime during the pandemic fell victim to phishing and 17% had accounts compromised. Investment scams, tender scams, online shopping scams, vishing and crypto accounts being stolen were also reported. 48% of respondents said they were aware of their security roles and responsibilities, 29% felt they were adequately trained in cyber security and 39% were confident they could recognise a security incident. However, many did not know what a ransomware attack or two-factor authentication was.
“Awareness is not enough – people have to change their behaviour and organisations need to equip employees to do the right thing,” Collard said.
Changing security behaviour
“It is really difficult to change people’s behaviour. As humans, we are lazy, social, creatures of habit and we don’t really like change. We need behavioural interventions to take people from awareness, to intention, to actually changing their behaviour,” Collard said. IT may be tasked with awareness and behaviour change, but they may not have the background to address the psychology of change.
“Most of us are in the ideal zone in terms of attitude to cyber security culture – we support the policies and do the right things most of the time,” she said.
However, distractions can make it easier for people to fall for phishing mails – even if they are aware of phishing risks. KnowBe4 has found that most people (53%) who clicked on phishing links were busy or multitasking at the time.
“One of the main reasons we fall for social engineering attacks is that we’re not present and not in critical thinking mode. We have devices going off at us all the time, multiple meetings and family speaking to us – this can cause us to lose focus. Cognitive overload can cause mistakes to creep in.”
“While most employees try to do the right thing in terms of cyber security, 15 – 20% of employees fall into the negligent zone, many are also in the reluctant zone, and less than 1% fall into the malicious zone,” she said.
Collard said engaging and motivational programmes were needed to drive behavioural change in organisations.
Collard said: “BJ Fogg, the ‘father of Behavior Design’ says behaviour changes when three things happen at the same time: motivation, ability, and a prompt to do the behaviour. This can be applied in the world of cyber security by making it personally interesting and relevant using leadership and social influencers, stories and emotions, the power of positivity, and games and gamification. Content needs to be as easy to digest as possible, she added.
The ‘ability’ component of changing behaviour includes tools such as in the moment training and realistic simulations, making reporting easy, and providing users with tools such as a password manager, home licences for security software and education for kids and seniors at home.
Prompts or nudges should ideally be voluntary, not forced. “Find creative ways to insert nudges into the working day. If you’re working on your culture and behaviour change programmes, you need to focus on motivation, ability and prompts,” she said.