For many within the profession, we’ve been standing around saying to each other, “I’ve got a bad feeling about this.” 2021 didn’t let up in the volume or veracity of headlines of companies, hospitals, government agencies and critical infrastructure from being impacted or completely disrupted by cybersecurity issues.
In 2020, the growing threat as a top concern for organizations according to the Global Risks Report 2020, World Economic Forum. In the 2021 report, cybersecurity scored 4th in the list of “clear and present dangers Short-term risks (0 – 2 years)”, only yielding to infectious diseases (pandemic), livelihood crises (likely stemmed by the pandemic), extreme weather events (always present and acute).
Many organizations have taken some action to start or continue their focus on catching up to properly mitigating this pervasive cyber risk. Some organizations and sectors are ahead of others, but many challenges still exist for funding, focus, and follow-through.
With that said, many organizations still have an IT / technology-focused security program with limited involvement and true engagement across the organization beyond required annual training and sometimes periodic ethical phishing tests. With all of the looming natural disasters, contagions, and political turmoil threatening civilization itself - should people really make time to think about doing their part to protect your company? (Author’s biased but most definitely accurate spoiler opinion: “Yes – this is something we can actually control and see progress for our organizations.”)
Should your entire workforce really be more engaged with cybersecurity?
Let’s look at what the data tells us…
From the most recent Verizon DBIR, 85% of data breaches were due to the "human element" (2021 Data Breach Investigations Report, Verizon). Whether it be phishing, vishing, smishing, “social media” engineering (e.g LinkedIN or Facebook messenger scams), or in-person manipulation, compromising underprepared humans is the attackers’ quickest/easiest/most efficient way to steal from a company or accomplish any desired nefarious mission. Perhaps dealing with these things needs to be a universal learned competency like writing a check, paying a bill, or washing your hands. There are too many people getting ripped off or having their lives (identity) stolen both in the workplace and at home not to.
In the prior year, the 2019 Verizon Data Breach Investigations Report found that 29% of breaches involved the use of stolen credentials and 32% of breaches involved phishing.
While we would all love to have a magical button or cyber tool that zaps all risks and enables our workforce to not have to be worried about getting baited into a trap, that is not and will likely never be reality. Let’s stop pretending that one exists or may soon exist and start focusing on to people motivated, awareness, and engaged to know how to use technology and practice good behaviors when we can’t solely rely on technology to save us.
In the last several years, the market has become increasingly crowded with security awareness companies that provide “off the shelf” or Software as a Service training and awareness solutions. The medium has shifted over the years from annual CBT (computer-based trainings) to live action, animated video, micro-learning, and gamified learning experiences. This is great progress for our industry! At Reveal Risk, we leverage several of the market leaders in this space as part of our approach to transforming an organization’s engagement with cyber. However, we know through experience that “just a tool” does note close the gap. This is true across almost every domain of cybersecurity, and awareness is no different.
If all these awareness programs market entrants have hit the stage, why is the human element still in the poor shape it seems to be?
Challenge 1: Not fully using the solutions you have
We find a mix of companies that have purchased these solutions and are underutilizing them. The failure mode for any cyber tool purchase is assuming that you have minimized your risk because you purchased a solution. Companies that underutilize the tools they bought often just send out phishing messages and select an annual or periodic self-training. I’ve seen some companies that limit the volume of training events/components the cybersecurity team can have within the organization to once or twice a year. “We are just all so busy; we have to protect our employees’ time.” I would estimate across the last 10 companies that we have helped that they have consumed less than 10% of the tools that they had previously acquired for security awareness.
Challenge 2: Lack of stakeholder involvement and influence
Do you have an executive sponsor outside of IT? Does each senior leader of the organization play a role? We find that despite good intentions, many cybersecurity programs that are embedded deep in IT organizations often don’t have or are not capable of attaining the right stakeholder engagement across the organization. Organizational Change Management experts would unanimously agree (across any change management topic) that executive sponsorship is the #1 reason why any kind of corporate change succeeds or fails."
Challenge 3: Fitting in, being heard, and changing culture is tough
While the creative content available in the market has grown leaps and bounds, it must resonate with your company and culture to be effective. It needs to impact the hearts, heads, and energy of the workforce and feel different than every other “corporate memo.” For example, humor may work for some cultures but not others (both corporate and world culture). Dramatic series/campaigns may work when done right to raise awareness of the true risks or use storytelling to share some of the real things that have happened to your company (in an anonymized fashion where legally necessary!). However, using too much drama can get you into the failure mode of overuse of FUD (fear, uncertainty, and doubt). If you overuse this, people will think you are crying wolf. Rather, use gamified experiences that create challenges, healthy competition, and intrigue to communicate and educate.
Challenge 4: Lack of brand identity and true “marketing” level campaign approach
A security awareness, behavior, and culture change program must feel like a serious initiative the company is taking, not just a tool/service that a company bought. Dr. John Kotter, a HBS professor indicates that “creating a sense of urgency” is step number one in his 8 step model for leading change, in his book “Leading Change.” True organizational change requires a marketing campaign level approach. It needs to feel connected and linked to an identity of a transformative program. Think to the biggest cultural change event your company has had to deal with (merger/divestiture, new CEO, new business unit). How did your company guide the workforce through the change? If it went well, it probably involved a lot of corporate communications, OCM experts, and internal PR and marketing. The dire need for Cybersecurity OCM is no different, yet it rarely is a focus. You have to invest in change and bring people through the journey. Lastly but perhaps most importantly, the campaign must also focus on how workforce cybersecurity practices can help to enable the company (not just a big list of things people shouldn’t do.)
Challenge 5: Shiny object syndrome
There is so much that could catch our attention cybersecurity, but…
"He who defends everything defends nothing" Frederick the Great (circa mid 1700’s)
Nearly every week unfolds another headline news story about a breach. Underneath that reveals the multiple cases per day that aren’t hitting the news. This has the tendency to send cybersecurity executives (and even business executives) running in multiple directions, over committing, buying more cyber tools than a team can handle, or just general lack of focus. The reality is that while the attack vectors have slightly shifted, the fundamental “blocking and tackling” needs have not. Awareness and protecting from human element issues still remains.
Solution Focus: How can we shift our thinking to overcome these challenges?
Embrace tools and services, but beware of the “easy button” trap. Awareness, Behavior, and Culture Change (or ABCΔ as we call it at Reveal Risk) doesn’t happen overnight. It takes leadership sponsorship, formation of champions within the culture, continuously innovative/creative ways to boost engagement, workforce events/challenges, and producing meaningful measurements that tell the story and inform improvement.
As cybersecurity program leaders and sponsoring executives, we must drive change through:
- Understanding the culture
- Choosing cyber tools people like using (invest in user experience)
- Incentivizing good practice (a punishment-only model doesn’t work)
- Ensuring people know why the initiative is important (use real stories and events wherever possible)
- Creating workforce change experts or champions and a sound change model
- Cultivating user friendly security policies (remember: your employees aren’t lawyers, so the policies shouldn’t be written like they are for other lawyers)
Ultimately, you want your awareness program to enable and activate your workforce to:
- Know what information they handle within their role is most sensitive/criticalto the company
- Understand and consistently practice secure handling of sensitive information, covering approved tools and secure data handling practices with clear and specific non-techie guidance that anyone can understand
- Practice good daily practices within the guidelines of appropriate use of electronic resources policy (spoiler alert: a once a year or once ever policy read-and-sign will not work)
- Use strong passwords and MFA (multi-factor authentication) wherever possible
- Understand and be willing to spot social engineering attempts of all types; both at work and at home
- Know how to report concerns and get help – and not have a sense of fear of speaking up, sharing a mistake or otherwise.
Shifting mindsets and practices of your workforce is an investment in both time and money. Compared to all the other expenses you are likely incurring (or soon to be); it could likely be one of your best returns on investment. Let’s shift our thinking from the “tech will save us” mentality to a committed effort to help people be our first and best line of defense.
At Reveal Risk, we evaluate, design and deliver strong processes and results in cyber, privacy, risk that work efficiently, are fit-for-purpose, and are sustained. If you find that you want assistance in building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to connect with us at firstname.lastname@example.org.
About the Author
As CEO and Co-Founder of Reveal Risk, Aaron Pritz uses his background as a corporate leader to create a unique experience for any business in search of building and improving their cybersecurity program, processes, or capabilities. His broad experience as a former Fortune 200 pharmaceutical company security senior IT/Security/Privacy/Risk leader afforded him in-depth knowledge of the cybersecurity and data protection needs, which includes knowing the importance of efficiency and accessibility. He understands that people want an expert they can speak to directly that will guide them through the process of achieving their goals while using external benchmarks and experience.