As we look around the world, there are a lot of things that seem to be spinning out of control, and much to be worried about. That’s certainly often the case when it comes to cybersecurity. Scary news stories surface almost daily.
Collectively, we have spent well over a decade, maybe two decades, building up well-defined, technologically advanced security controls that make it exceedingly difficult for cybercriminals to crack. Then, also collectively, we breathed a sigh of relief thinking, “Our work is done here.”
Where Your Business is Most Vulnerable
As hackers found themselves facing increasingly complicated security systems they had an a-ha moment. They thought: “Gee, I could spend days or months trying to bypass that set of security blocks. Or I could contact Bob in accounting and trick him into clicking a link and handing me keys to the kingdom with a phishing scam.” You hear it said over and over: users are the primary attack vector for today’s cyber-scams.
Verizon’s 2022 Data Breach Investigation Report reports 82% of breaches involve some form of human element.
Even some of the largest, most trusted organizations can be some of the least prepared and most vulnerable to attack. UpGuard’s list of the 65 biggest data breaches, updated June 2022, includes top tech-based companies like LinkedIn (2021), Facebook (2019), Twitter (2018). If these giants – who can afford the most sophisticated security programs on the planet – can be breached, is there hope for the rest of us?
While the situation may seem bleak, there are steps that can be taken to mitigate risk. Unfortunately, the operative term is mitigate. The brutal truth is that we can never attain a level of zero risk. We can, though, start from where we are and whittle away at the risks—and do so continually and consistently over time. Here are three places to start:
- Move beyond awareness
“Security awareness training” is a phrase that has caught on well and something that most companies will point to when asked about what they’re doing to minimize data risks. But the idea is incomplete. If our goal is just to make employees aware, we’re not likely to achieve what it is that we actually want, which is changed behaviors and the reduction of risk.
Here are three realities of security awareness:
- Just because somebody is aware doesn’t mean they care.
- If we try to work against human nature we will fail.
- What an employee does is much more important than what they know.
Security awareness is a state of understanding, but we have to move beyond that into promoting security behavior and effective security culture management.
- Communicate continually to overcome the knowledge-intention behavior gap
There’s a gap between knowing something and intending to act on that knowledge. Even when we intend to act there may be things that keep us from actually performing some behaviors—we forgot, we forgot how, we were interrupted, we changed our minds, etc.
We know that people don’t really respond to training when they only hear something once. They don’t respond to training when they only hear something twice a year, even four times a year. What they will respond to is the consistency of the message over time. Only then will this start driving the right behavior pattern.
- Create security in layers—and focus on the human layer.
When we think about security, we have to think about several different layers. Technology is certainly one piece of the puzzle that can involve multiple layers. Beyond those physical layers, though, we also have the human element. The minute you start paying attention to security at a human level, you will start seeing results.
Approaching the process of minimizing cybersecurity risk requires a culture perspective. Awareness is not the end game. Behavior gets us a little further but, if you can build a self-reinforcing culture that has the right attitudes, the right understanding and knowledge, the right belief systems, and the right social norms and pressures, you can start to chip away at the potentials for risk.
There is a truth that management consultant John R. Childress states well. He says, “You get the culture you ignore.” That quote should be a wake-up call for us all. We have a security culture whether we know it or not. And we have a security culture regardless of if we acknowledge it. The questions isn’t, “do you have a security culture?” Rather, the question is, how strong, how intentional, and how sustainable is that culture?
About the Author
Perry Carpenter is author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] His second Wiley book publication on the subject. He is chief evangelist and security officer for KnowBe4[NASDAQ: KNBE], the world’s largest security awareness training and simulated phishing platform.