People, not technology, are becoming the key to securing organizations today. For years organizations have invested in technology such as anti-virus, firewalls, full disk encryption or data loss prevention.
While powerful, solutions like these fail to secure one key element, people. Until organizations also address the human element, cyber attackers will continue to easily hack into organizations.
The reason for this is simple, cyber attackers take the path of least resistance and in today’s world that means people. Organizations have become very good at securing technology but very bad at securing their own employees. As a result, cyber attackers are bypassing technology using methods such as phishing, targeted phone calls, attacks through social media or any other communication means.
Ultimately the result is the same. Cyber attackers are hacking into organizations by tricking or fooling their employees into doing something they should not do.
The solution is simple, just as organizations have invested in securing their technology, they also need to invest in securing their people. To do that they need to secure peoples’ behaviors, and ultimately create a secure culture.
However this cannot be done simply by purchasing a product. To create secure behaviors, and ultimately a secure culture, organizations need to establish a long-term security awareness program. Such a program engages employees, explains to them why cyber security is important, and walks them through the behaviors they need to exhibit, to include protecting themselves both at work and at home.
While there are challenges establishing such a program, organizations around the world are taking this step and seeing a huge return on investment. For example, we are seeing organizations reduce the number of employees that fall victim to phishing less than 5%, and those that do fall victim quickly realize and report it.
The first challenge for many organizations is making their security awareness program stick. Engaging people and teaching them about new, secure behaviors is easy, but having those lessons stick long term and have an impact is more challenging.
The first step to effectively changing behavior is understanding what elements make up a behavior. According to the BJ Fogg Behavior Model developed at the Persuasive Tech Lab at Stanford University, there are three key elements to a behavior: people must be motivated to exhibit the behavior; they must have the ability to exhibit the behavior; and they need a trigger or prompt to know when to exhibit the behavior.
The key this model teaches us is the more motivated people are to change behavior, and the easier we make the new behavior happen, the more likely we will have an impact.
To do that we must effectively communicate to people, first by answering the question why cyber security is important to them, why should they care? To do that you must reach people at an emotional level, trying to rationalize security with statistics or numbers will not have a long term impact.
To reach people emotionally, explain to them that what they will learn not only applies to work but to their personal lives. We all use the same technology at both home and at work, and we face the same risks in both locations.
By teaching people how to secure themselves personally, not only are they more likely to listen and change behaviors, but security becomes part of their DNA. As a result, not only are employees personally benefiting but the organization also benefits. In addition, this personal approach is becoming even more important as peoples’ personal lives and work lives are beginning to blend, such as with working at home or BYOD (Bring Your Own Device).
Secondly, we have to communicate this message in a method people want to consume. Different generations, cultures and even individuals learn differently than others. As a result, organizations need to communicate their awareness program using multiple methods.
For example, more conservative individuals or older generations often prefer traditional methods of communications, such as in person training or newsletters. They also prefer to learn during work hours and have the content be more professional or subdued. Outgoing individuals or younger generations usually prefer the latest technologies for learning, such as using tablets, online videos, or social media. They also want the flexibility to learn on their own schedule and like the use of humor, such as memes. By understanding your different target audiences and adjusting how you communicate to those audiences, the greater your impact.
Once you begin communicating your program, you then have to measure its impact. For security awareness there are two types of metrics: compliance metrics and impact metrics. Compliance metrics are measurements that auditors want to see, they measure the distribution of your program, such as how many people took the online training or how many newsletters were published that year.
While important, what we want to know is if that training is having an impact, are we changing behaviors, are we reducing risk? These are what I call impact metrics. There are a couple of key things to keep in mind when measuring behaviors.
The first mistake most organizations make is they forget people have feelings. A computer does not care if or how it is measured, people do. You need to take that into consideration. For example, you never want to embarrass or humiliate people, such as sending out a Viagra phishing email.
Also, never create a wall of shame where you list the names of everyone that failed an assessment. Everyone has a bad day, we all sooner or later most likely fall victim. The only time it may be necessary to report a name of someone who failed an assessment is if they keep failing, are not changing behaviors and as a result represent a high risk to the organization.
Thirdly, measure your highest human risks. These are easy to measure, and are metrics you can act on. Phishing is a common metric that many organizations use. Phishing is one of the most common human risks most organizations face, it is easy to measure as you simply send out a phishing email every month as part of your assessment, it is actionable as you can identify your most vulnerable people and measure if your training is having an impact.
If a metric measures a low human risk, or a behavior you cannot do anything about, then it does not have much value. Ultimately start with only one or two metrics that are high value.
Finally, when it comes to metrics, make heroes out of the people who start exhibiting the correct behaviors. Recognition is an extremely powerful motivator. Also, by highlighting people who did the right thing you are reinforcing the key behaviors you want people to follow. As people see their behaviors are having a positive impact, not only will they continue to exhibit those secure behaviors, but their attitudes and perceptions to security begin to change. Now you are going beyond just securing behaviors, but creating a secure culture.
People are one of the best defenses your organization can have, unfortunately they are also one of the most commonly overlooked. It’s far too easy to fall into the trap of simply purchasing the latest technology and thinking all of your security problems will go away. By investing in and securing your employees, you will have a long term impact that will benefit not only your organization, but also your people.