Cybersecurity will only work if we put people first
Too many organisations are looking for a technical solution to what is essentially a human problem. Even with the most sophisticated technology, organisations can only reduce exposure to intentional cyberattacks orchestrated by malicious actors to an extent. This is mainly because a company's biggest security risk is unintentional employee negligence.
The Office of the Australian Information Commissioner (OAIC) highlights that around one-third of the 812 data breaches reported to the Notifiable Data Breaches scheme between its introduction on 22 February to the end of December 2018, were due to human error.
Gone are the days of 'click and drool' compliance
While awareness training has long been considered the best the way to educate employees about security best practices, traditional training methods on the whole are not effective. The content is often boring, outdated, long, and therefore unlikely to resonate with staff.
Employees that participate in these compliance-focused training courses tend to take a 'click and drool' approach, where the aim is to click through the course as quickly as possible, without actually taking in any of the information, ultimately leaving businesses at risk.
At the same time, lack of consistency also reduces the effectiveness of training courses. According to the Mimecast's 2018 State of Email Security report, only 14 per cent of Australian organisations continuously train employees to spot cyberattacks, with 58 per cent of those surveyed admitting to only doing training quarterly or once per.
How to make good security behaviour stick
Organisations are at a critical juncture. They can either continue down the path of ticking a compliance checkbox or take an innovative approach to cybersecurity awareness training. There must be compliance and commitment from employees for good security behaviour to stick.
Awareness training needs to be engaging and persistent. Organisations can use analytics to capture the base line behaviour of employees when it comes to security compliance – or the lack thereof. The data can then be engineered into actionable information as part of a training program, ensuring that the details being delivered will be relevant to employees.
Introducing once-a-month training through activities such as one-on-one mentoring, live online training, roving departmental subject-matter experts, and gamification are possible alternatives. Humour through GIFs and memes can also be another effective approach.
When there's substance and personalisation in awareness training material, it will resonate with employees and there will be greater willingness to continue with the program.
The tone for any training program, however, needs to be set from the top down. There's a responsibility at the C-suite level to be engaging, endorsing, and supporting the program. If there isn't the weight behind them, training programs aren't as highly valued, and are less effective.
It's clear that traditional training awareness programs are plagued by fatigue, which is ultimately putting organisations at risk from potentially being exposed to a cyberattack. By taking a human-centric, yet analytics-driven approach, organisations can change up these cyber security programs so that they are more human and can be personalised, engaging, and consistent.