Throughout October it was Cybersecurity Awareness Month in both North America and Europe. Both have paid particular attention to user behavior this year. Within the EU the motto for 2021 is “Think before you click,” while in the U.S. it’s: “Do your part. Be cyber smart.” As the first step toward lasting behavioral change, awareness raising is critical to long-term improvements in cybersecurity across business and consumer spheres. In the corporate world, change is never easy, but it remains a worthwhile aspiration.
The focus on the user is appropriate because security ultimately comes down to people. It’s your employees that may get tricked by phishing emails. It’s people that trick them. So efforts to boost cyber-resilience should begin with those users. The question is: how do you build a security-aware culture?
Why should we care now?
Humans have been doing the wrong things online for decades. But the impact of their mistakes and the frequency with which they’re being targeted is arguably greater today than at any point in the past. That’s due in part to the pandemic, which saw employees forced to work from home for months on end. Research soon emerged that people were taking more risks away from the office, that they were more distracted by household members, and that they were less likely to ask colleagues for help.
One study from earlier this year found as many as 30% of office workers admitting they’ve allowed someone other than themselves to use their work laptop, for things like shopping, internet downloads, gaming, and streaming. Many others (53%) said they used potentially insecure and unmanaged personal devices for work. Insider risks also continue to account for the majority of data breach incidents reported to UK regulator the Information Commissioner’s Office (ICO).
A separate study found human error was the number one cause of serious insider breaches in 84% of cases. It revealed that three-quarters (74%) of responding organizations had been breached because staff broke security rules, and a similar number (73%) suffered phishing attacks. The impact can be huge. According to one estimate, the average cost of insider threats rose by 31% over two years to exceed $11 million in 2020.
What is security culture?
It’s important to find ways to get your employees thinking more about security best practice because technology can’t prevent 100% of bad things happening. You can have the best anti-malware in the world, but if an employee gets phished then cyber-criminals could waltz through straight through the front door using their credentials. Once inside, they’ve become past masters at using “living off the land” techniques and legitimate tooling to achieve lateral movement. It’s partly why the average time it takes to identify and contain a breach is now 287 days.
So what is security-first culture? According to the National Cyber Security Centre (NCSC), it can be boiled down to three key concepts:
- Always remember the things you’re supposed to do for security
- Always do those things, at the right times, and in the right circumstances
- Prioritize doing things in secure ways when needed
The crucial caveat is that in some circumstances, it’s better to get a job done, even if it’s not done securely, than to ignore it. It’s the old argument about whether security or productivity should take priority.
Getting started with awareness training
A good place to start is to run regular security awareness training course for all employees. However, with many options on the market it might be tricky knowing what the best one is for your organization. Consider the following to optimize results:
- Run lessons frequently but in short bursts of 10 to 15 minutes
- Involve everyone from CEO down to temps and contractors
- Use real-world simulations to add relevance and enable you to test employees with the latest scams circulating on the web
- Choose solutions that allow for analysis of results to improve programs
What to include
Alongside phishing, you may also want to include other elements of best practice security processes in any training courses. Also useful are:
- Password management
- Spotting business email compromise scams
- Data handling and privacy tips
- How to report new scams/threats
- Why it’s important not to use work email/logins for consumer account sign-ups
Going beyond training
Of course, there’s more to creating a security-aware organizations than improving staff awareness. It will ideally be a “whole of company” approach that includes:
- The creation of security policies and tools that are non-intrusive and support productivity
- A culture in which transparency and honesty are rewarded — staff shouldn’t feel like they’ll be told off if they accidentally break the rules
- An IT department willing to educate, inform, and advise in ad hoc situations
- A security culture that transcends different business units
- Active participation from the boardroom down
- A security function that has a seat at the board and is consulted in new projects from the start
It’s all about ensuring security is built into the fabric of the organization so that it’s second nature for staff to make the right decisions, and that open dialogue is preferred to shadow IT. Given the stakes today, cybersecurity should never be an afterthought.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.