Organizations need to focus on changing security behaviors ahead of awareness training, according to experts speaking at Infosecurity Europe 2024.
Javvad Malik, Lead Security Advocate at KnowBe4, explained that lack of knowledge is not the reason human error continues to be the primary factor in cybersecurity breaches.
For example, most employees have been told they need to adopt strong passwords. But simply telling them about what they need to do during annual security awareness tick-box training courses will not bring about the necessary cultural change.
Andrew Rose, CSO at SoSafe told Infosecurity: “I still think there’s far too many organizations out there that think they just need to tell people what they need to do and then they’ll do it. You need to create so much more to change behavior.”
Creating Incentives for Behavioral Change
Employees need to feel like they are properly engaged in the process of protecting their business – something many organizations are not very good at.
For example, Malik said that many organizations do not approach phishing simulation in the right way. It can be perceived as a way to catch people out rather than explaining the purpose of the exercise and why it is so important.
Rose believes an effective approach is internalizing the consequences of not following through on awareness training.
“They need to understand that clicking on the malware could endanger the reputation of the organization, which could have an effect on their bonuses or a project might be cancelled,” he noted.
Another effective method of engaging employees in secure behaviors is to gamify exercises like phishing simulation.
Erhan Temurkan, Director of Security and Technology at Fleet Mortgages, told Infosecurity that he uses a leaderboard that shows the teams and individuals that engage the most in security, such as phishing simulations, and looping that information back to the business.
“That makes the employee feel like they have been part of that journey of making the business secure,” he explained.
Malik also emphasized the importance of making strong security frictionless for employees – ensuring that engaging in good behaviors is not a time-consuming process.
This includes setting up processes to push automatic security messages at the appropriate times – for example asking them if they would like a security scan of a device they have plugged into their laptop.
“Only give training at a time when they need it,” said Malik.
Driving Cultural Change Through Peer Pressure
Security culture change has to be driven from the top of the organization. However, it also important to have security messages emanating to employees at a local level from their peers, driven by middle management.
Rose said you are much more likely to change your security behaviors if you see people around you who are living up to them – that then creates a self-sustaining culture.
Security champions – ordinary employees with a passion for cybersecurity who amplify the message within their teams – are a vital way of establishing peer pressure.
These individuals can also talk about consequences in the context of those particular teams – for example the damage that clicking on a malware file can have to that team’s work.
Rose noted that security champions also provide a useful feedback loop to the security team, helping them adapt security policies and processes for different departments.
“They can go back and say if a policy is not working in their team and why,” he outlined.