While it’s external threats – malware, ransomware and so on – that get the headlines, the biggest risk comes from inside the company. Your human firewall.
The US State of Cybercrime Report found a third of participants suffered an insider incident and most of those proved more costly than those perpetrated by someone outside the organisation. Most of these cyber security breaches happened because an employee acted on a fraudulent email.
Surveys consistently show the main employee related threats are poor password management, phishing and malware download.
In the first nine months of last year, 15 million new strains of malware were found. Even frequent releases of virus checker software won’t catch that amount. And Mimecast’s annual email security test found that of the 45 million emails they checked, 11 million were passed as safe by email client software, meaning it was left to employees to make sure they didn’t click through on a suspect link or download an executable binary file.
But relying on staff as the last line of defence isn’t necessarily a good idea. Some surveys have found that only a fifth of staff attended any form of cyber security training and a quarter didn’t know if their company had a cybersecurity policy.
The human firewall
No business has the capacity, time or money to stay on top of all vulnerabilities or threats. For most, nurturing a workplace culture that is security aware is a much better answer. This human firewall can learn and adapt quickly.
Training content is built around the main cyberthreats – as outlined in our last post- but the challenge is getting the message across.
Why the usual training approaches don’t cut it anymore
Anyone who works in regulated industries will be familiar with the monthly or quarterly cycle of required reading which, if not completed on time, requires a humbling visit to a senior manager. All stick and no carrot, it has the desired effect of making sure everyone is kept aware of the latest changes to regulations or business processes, but how much of that knowledge actually lasts beyond the end of the week?
Staff have heard it all before, content delivery is stale and the whole thing becomes a tick-box exercise.
So, if what we’re doing now isn’t working, what’s the alternative?
Change behaviour to think secure
A better approach is using something that’s drip fed, repetitive, fun, engaging and has some personal value for your employees. That way, you’re more likely to get a change in behaviour that becomes embedded in the organisation.
The Human Firewall is built through a continuous cycle that helps employees and the organisation think secure:
- Use behavioural change techniques to make people care about cybersecurity.
- Use learning techniques that stress fun and participation for maximum engagement.
- Build awareness and knowledge using techniques that make learning easier.
Behaviour is changed through using content that employees can relate to on a personal level.
Everyone understands the ramifications of having a purse or wallet stolen, especially if it contains a scribbled note that contains a list of pin numbers as an aide memoire. Or if one of the kids downloads a game that wipes the hard disk and leaves mum the job of re-building the whole computer over the weekend. Make the connection between that personal pain and the pain the company will experience if they have to lay-off staff because they lose a major customer.
More fun = more engagement
Employee out-of-hours activities revolve around entertainment like social media, online videos, games and so on. So why distinguish between office and sofa? If you want to make it memorable, make it fun, fresh and remarkable. Game-playing is inherently memorable, engaging and fun and is fast emerging as the modern training tool. A survey by McAfee found that 96% of companies using it have seen benefits including improved team work and increased knowledge. And thirty seconds of fast-paced, energetic video will beat pages of dry text.
Make it easy to learn with bite sized chunks
Brevity is the soul of wit, so keep it short. Long, arduous training sessions are boring and unnecessary. Drip feed the content and avoid the rush to meet a deadline. Use tools for learning on the move to let employees make the most of time spent travelling.
Make it specific (don’t ‘pray and spray’)
One size doesn’t necessarily fit all, so segment staff by job role. Content for employees who regularly have access to classified information or high profile customers will be different from those that don’t. And time-pressed senior managers need a different set of content altogether.
Don’t forget sub-contractors or temporary staff either. A survey by IDC found that activities by third parties were often the cause of breaches or major incidents.
Keep it positive! 🙂
While the stakes are high and the stories about cyberattacks depressing, you can choose how your business responds. Language that is upbeat and positive is a better tone and more likely to encourage employees to report any issues they find.
Monitor, learn and adapt for continuous improvement
Cybersecurity training isn’t a one-time exercise. Content needs to adapt to reflect new threats and success should be measured to find areas for improvement. Phishing tests are useful, given how common a threat it is, just don’t turn them into punishment sessions.
With good planning and careful execution, forward thinking businesses can turn the ‘insider threat’ into a business advantage to help avoid the pain and disruption of a cyberattack.