Companies need to reinforce the foundational elements of security risk.
“There will always be a need to ensure that the organisation has exactly the right levels of security technology, policy and processes in place,” she says, “But there also has to be the right levels of training and security understanding within the workforce to back up the security technology investment. Companies are still not paying enough attention to the one security vulnerability that is always open to attack, quick to make mistakes, and can accidentally leave the digital door wide open – people.”
Getting back to basics means putting security training in front of employees constantly and consistently. It means reinforcing the messaging over and over again, teaching people about the risks – both new and old – and then testing their knowledge to ensure they really have understood the threats and how to avoid them. This strategic approach of repeat, learn and test is a proven way of ensuring that people are given the basic foundations they need to stay security aware and prepared.
Another method that has proven invaluable when it comes to shifting patterns and enforcing behaviours is the Fogg Behavior model developed by the founder of the Stanford Behavior Design Lab, BJ Fogg. His model suggests that there are three elements that have to be present to ensure that a specific behaviour occurs – motivation, ability and prompts. What this suggests, is that security training should be implemented alongside smart behavioural change motivations to ensure that the security lessons learned directly influence behaviour.
“The problem is that people are busy and stressed at work, so they often ignore the training or see it as an interruption of their day,” says Collard. “They also are more likely to make a mistake by clicking on a link or falling for a phishing email if they are tired and distracted. This means that security awareness training has to be cultivated properly. It has to be clean, simple to understand and accessible to users.”
In addition to ensuring that the training is more engaging so people embrace it and engage with it, companies need to reinforce the foundational elements of security risk. This means reminding them that they are as much at risk as the business – phishing and hacking are not the exclusive remit of the organisation and can have long-term personal and professional repercussions for individuals – and giving them a cheat sheet that highlights the most common risks at a glance. Make sure that people know how popular phishing has become for cybercriminals – Deloitte found that 91% of all cyber attacks start with a phishing email – and how a successful attack can bring the business to its knees. Then reinforce this message, repeat it, and maintain the training.
“The basics are not just: do not click, do not respond emotively, check the URL, do not download,” concludes Collard. “They are also centred around the importance of the human firewall in protecting the business, the impact of an attack on the company’s reputation and compliance, the risk of personal loss and fraud, and the shared responsibility of ensuring that security should be everyone’s problem and priority.”