By Oz Alashe, CEO, CybSafe
Cyber security has become a significant issue over the last few years. Ransomware attacks and data breaches are in the news on an almost daily basis, with all manner of businesses and institutions, from large corporations to schools and hospitals, being affected.
The cyber threats will only continue to grow both in scale and sophistication. CybSafe’s recent examination of ICO data found that cyber attacks on British institutions doubled in the first half of 2021. For every cyber criminal caught, they are immediately replaced.
Seeing this increasing danger, organisations have acknowledged the need for a well-funded cyber security agenda. Despite this, a recent study from CybSafe and the National Cybersecurity Alliance discovered that 64% of participants still do not have access to any cyber security guidance or training. Even for those who do receive training, a number of people consider the initiatives to be of little to no value, with 27% saying that it did not benefit them.
To enhance security awareness, we must not focus solely on increasing the number of training programmes, but we must improve the existing initiatives to ensure they deliver results. If companies do not address the inefficiency of their current cyber-training, then employees soon become reluctant to follow the advice provided and no real change is achieved, leading to business leaders becoming increasingly frustrated that time and resources are going into initiatives that are no ROI. To counteract the growing cyber threat and to ensure effectiveness of security awareness training, it is necessary to not only refine our current strategy, but also go beyond just awareness and achieve tangible behavioural change.
How understanding human behaviour can enhance security awareness
To improve security awareness, it is necessary to understand what it involves. Put simply, it requires organisations to consider the human element to cyber risk, by informing employees of how their individual behaviours influence the cyber security of their business at large. If done properly, it will not only foster recurring cyber aware habits, but will also build customer trust in the organisation and boost employee enthusiasm, welfare, and confidence.
Where are businesses falling short?
Most businesses now acknowledge the significance of security awareness, but not all of them are seeing definitive outcomes from their actions. This is because people don’t fully understand the phrase “awareness”. Establishing a strong security culture necessitates legitimate behavioural change that isn’t simply making employees aware of cyber threats, but by providing employees with the appropriate knowledge they need to protect both themselves and their businesses.
Organisations regularly rely on training exercises and programmes that are designed to decrease cyber risk but are immediately disregarded once completed. The best method of education is not to solely rely on instructing employees the dos and the don’ts but instead requires a team effort from both parties for it to pay-off in the long-term. Security awareness agendas must go beyond simply meeting basic requirements and instead to inspire change that is both dynamic and quantifiable.
The best approach to security awareness training
There are a several ways businesses can enhance security awareness among their staff.
Preparation and personalisation can go far when tackling this unreliability. Before any programme is put into practice, an organisation must be straightforward on who it’s aimed at, what it plans to do, and what areas need to be covered given the specific requirements for each department. For example, industries such as finance and increasingly education are especially vulnerable to ransomware attacks. Cyber threats are perpetually evolving, and research and education is the most important tool in our arsenal, and as different cyber-attack strategies rise and fall in use, so too should the areas a business focuses on.
The same approach is required for our mindset towards security awareness overall. Training is forgotten if it is an infrequent and unengaging event and given the fluctuating nature of the cyber security landscape will also quickly become outdated. By using behavioural prompts and setting frequent and specific targets to each individual, businesses can guarantee their staff are both well-informed with the current threats and are acquiring behaviours over time that can help minimise them.
Data is crucial to realising this. If a business is unable to assess the progress of its security awareness initiative, then it will be difficult to see any evidence of what is working and what is not. Metrics help set what steps will have been more effective at inflicting positive change from the beginning of the initiative and guarantee they deliver on their promise.
Don’t play the ‘blame game’
For the process to succeed, organisations must move from the blame culture that often accompanies cyber security initiatives. Instead of chastising the weakest link, they should instead be thought of as the first line of defence against cyber threats. A more positive attitude keeps everyone responsive and improves the extent to which security awareness programmes are understood. With this as the fundamental principle, coupled with data and an individualised approach, businesses can turn security awareness training from a boring office meeting into a vehicle for genuine behavioural change.