With the latest IBM figures estimating that the global average cost of a data breach has risen by 2% to $4.45m, you would think acting safely and securely would be the bare minimum for many of us, especially those in the cybersecurity industry. I mean, it’s in the name: security.
But are cybersecurity professionals doing enough to ensure they play their part in keeping businesses safe? Unfortunately, the facts are somewhat concerning because over half (55%) of cybersecurity professionals have admitted to engaging in risky cybersecurity behaviors at work. Security professionals are the torchbearers for security within an organization and are looked upon as individuals who should be upholding the rules and processes put in place to keep the company safe. Remember, modern cyber threats target everyone, so no one is above security awareness training, especially security professionals.
Regular company-wide security awareness training should be carried out to tackle the lack of security awareness within an organization. Yet, the same study also revealed that half of cybersecurity professionals admitted that their organizations only conduct training once a year or once a quarter. If security professionals themselves are displaying risky behaviors at work and aren’t adequately building up the human defense layer in their organizations, it paints a bleak picture – particularly in light of recent breaches stemming from human error.
Whether you accept it or not, every employee is seen as a potential entry point for a hacker to exploit and are the biggest risk factor to an organization’s security; the proliferation of social engineering attacks is testament to that. Therefore, educating the workforce on security best practices is paramount to deter them from engaging in risky security behavior.
What is considered risky security behavior? In total, 10 risky behaviors have been identified, including opening a malicious email attachment, streaming movies or watching porn on a work device and removing data from company systems without authorization.
Developing a Strong Security Culture
If employees, regardless of their role or department, continue engaging in such risky behaviors, cyber threats will be ever-present. To address this effectively and to rectify the situation both in the short term and beyond, cultivating a strong security culture within the organization is imperative.
This encompasses regular security awareness training that must exceed the scope of merely instructing staff about threats. It extends to equipping them with the ability to respond effectively and enabling the workforce to identify optimal measures for prevention adeptly.
Establishing a robust security culture forms the essential groundwork for mitigating the potential risk of a cyber-attack targeting the organization. Achieving this demands a transformation in attitudes, behaviors, perceptions of responsibility and overall organizational norms. Essentially, the goal is to integrate security best practices seamlessly into every conceivable scenario, process and operation, tailoring them to everyone’s context.
To help facilitate this, a new technological approach to building a strong security culture has been unearthed. It focuses on identifying and responding to threats because of human activity (phishing and social engineering threats) and involves automated real-time coaching. This is different from traditional security awareness training that educates the workforce on best practices for staying safe online and reducing the risk of falling victim to common cybersecurity threats. Combined, both will play a critical role in improving the behaviors the entire workforce displays.
In the grand scheme, cybersecurity should be a paramount concern for every facet of the organization, every department and every employee. Successful attainment of this objective leads to heightened vigilance among users, fostering a mindset that prioritizes appropriate responses to potential threats. This will stand the organization in good stead going forward.