Story image

Cybersecurity will only work if we put people first

07 May 2019
Sponsored

Too many organisations are looking for a technical solution to what is essentially a human problem. Even with the most sophisticated technology, organisations can only reduce exposure to intentional cyberattacks orchestrated by malicious actors to an extent. This is mainly because a company’s biggest security risk is unintentional employee negligence. 

The Office of the Australian Information Commissioner (OAIC) highlights that around one-third of the 812 data breaches reported to the Notifiable Data Breaches scheme between its introduction on 22 February to the end of December 2018, were due to human error. 

Gone are the days of ‘click and drool’ compliance

While awareness training has long been considered the best the way to educate employees about security best practices, traditional training methods on the whole are not effective. The content is often boring, outdated, long, and therefore unlikely to resonate with staff.

Employees that participate in these compliance-focused training courses tend to take a ‘click and drool’ approach, where the aim is to click through the course as quickly as possible, without actually taking in any of the information, ultimately leaving businesses at risk.

At the same time, lack of consistency also reduces the effectiveness of training courses. According to the Mimecast’s 2018 State of Email Security report, only 14 per cent of Australian organisations continuously train employees to spot cyberattacks, with 58 per cent of those surveyed admitting to only doing training quarterly or once per.

How to make good security behaviour stick

Organisations are at a critical juncture. They can either continue down the path of ticking a compliance checkbox or take an innovative approach to cybersecurity awareness training. There must be compliance and commitment from employees for good security behaviour to stick.

Awareness training needs to be engaging and persistent. Organisations can use analytics to capture the base line behaviour of employees when it comes to security compliance – or the lack thereof. The data can then be engineered into actionable information as part of a training program, ensuring that the details being delivered will be relevant to employees.

Introducing once-a-month training through activities such as one-on-one mentoring, live online training, roving departmental subject-matter experts, and gamification are possible alternatives. Humour through GIFs and memes can also be another effective approach.

When there’s substance and personalisation in awareness training material, it will resonate with employees and there will be greater willingness to continue with the program. 

The tone for any training program, however, needs to be set from the top down. There’s a responsibility at the C-suite level to be engaging, endorsing, and supporting the program. If there isn’t the weight behind them, training programs aren’t as highly valued, and are less effective. 

It’s clear that traditional training awareness programs are plagued by fatigue, which is ultimately putting organisations at risk from potentially being exposed to a cyberattack. By taking a human-centric, yet analytics-driven approach, organisations can change up these cyber security programs so that they are more human and can be personalised, engaging, and consistent.  

Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Deakin Uni scores double win with Exabeam partnership
Australia’s Deakin University is partnering with SIEM security company Exabeam in an effort to boost the university’s cybersecurity degree program and strengthen its SIEM capabilities.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Voter vulnerabilities: Cybersecurity risks impact national elections
The outcome of elections have an enormous impact on the political and cultural landscape of any democratic society. 
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."