sb-au logo
Story image

Cybersecurity will only work if we put people first

07 May 2019

Too many organisations are looking for a technical solution to what is essentially a human problem. Even with the most sophisticated technology, organisations can only reduce exposure to intentional cyberattacks orchestrated by malicious actors to an extent. This is mainly because a company’s biggest security risk is unintentional employee negligence. 

The Office of the Australian Information Commissioner (OAIC) highlights that around one-third of the 812 data breaches reported to the Notifiable Data Breaches scheme between its introduction on 22 February to the end of December 2018, were due to human error. 

Gone are the days of ‘click and drool’ compliance

While awareness training has long been considered the best the way to educate employees about security best practices, traditional training methods on the whole are not effective. The content is often boring, outdated, long, and therefore unlikely to resonate with staff.

Employees that participate in these compliance-focused training courses tend to take a ‘click and drool’ approach, where the aim is to click through the course as quickly as possible, without actually taking in any of the information, ultimately leaving businesses at risk.

At the same time, lack of consistency also reduces the effectiveness of training courses. According to the Mimecast’s 2018 State of Email Security report, only 14 per cent of Australian organisations continuously train employees to spot cyberattacks, with 58 per cent of those surveyed admitting to only doing training quarterly or once per.

How to make good security behaviour stick

Organisations are at a critical juncture. They can either continue down the path of ticking a compliance checkbox or take an innovative approach to cybersecurity awareness training. There must be compliance and commitment from employees for good security behaviour to stick.

Awareness training needs to be engaging and persistent. Organisations can use analytics to capture the base line behaviour of employees when it comes to security compliance – or the lack thereof. The data can then be engineered into actionable information as part of a training program, ensuring that the details being delivered will be relevant to employees.

Introducing once-a-month training through activities such as one-on-one mentoring, live online training, roving departmental subject-matter experts, and gamification are possible alternatives. Humour through GIFs and memes can also be another effective approach.

When there’s substance and personalisation in awareness training material, it will resonate with employees and there will be greater willingness to continue with the program. 

The tone for any training program, however, needs to be set from the top down. There’s a responsibility at the C-suite level to be engaging, endorsing, and supporting the program. If there isn’t the weight behind them, training programs aren’t as highly valued, and are less effective. 

It’s clear that traditional training awareness programs are plagued by fatigue, which is ultimately putting organisations at risk from potentially being exposed to a cyberattack. By taking a human-centric, yet analytics-driven approach, organisations can change up these cyber security programs so that they are more human and can be personalised, engaging, and consistent.  

Story image
Check Point warns of surge in phishing scams as hackers impersonate delivery vendors
Hackers are impersonating trusted delivery vendors, like Amazon, DHL and FedEx, to commit financial fraud.More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More
Story image
Cybermerc launches AU cyber threat intelligence platform, AUSHIELD
So far Australian National University, Fortinet, Anomali, Elastic, Vault Cloud, and startups SecureStack and Countersight have joined the project.More
Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
Trend Micro launches cloud native security solution for modern applications and APIs
“Application security is an invaluable part of the Cloud One platform, integrating technology to provide superior protection for customers deploying applications wherever it makes the most sense for them."More
Story image
Kaspersky ICS CERT joins FIRST global threat intelligence forum
FIRST was founded in 1990, and its members come from 95 countries across Oceania, Asia, Europe, the Americas, and Africa.More