By Oz Alashe, CEO, CybSafe
Cyber security issues have been the talk of the town during the pandemic. This year in particular has witnessed a surge of ransomware attacks and data breaches. The news is frequently covering the unfortunate attacks, with a range of organisations and institutions falling victim to the attackers. Schools, hospitals, large corporations, the list goes on.
This is an increasingly worrying concern for all. The threat is not slowing down – rather, it is growing, both in scale and sophistication. CybSafe’s recent analysis of ICO data found that ransomware attacks on UK organisations doubled in the first half of 2021. For every ransom attack that is put to sleep, another soon awakens and sometimes, with just as much venom as the last.
To combat this growing threat, businesses have recognised the need to invest more time and resources into cyber security initiatives and training programmes. The finance and insurance sectors recognise the importance of this the most, with 72% of financial institutions saying cyber security is a very high priority for them. However, new research from CybSafe and the National Cybersecurity Alliance has found that 61% of cybercrime victims chose not to report their attacks, compared to 39% who did. If the majority of people are not reporting cybercrime – despite the training offered –there is a need to reassess the approach taken to raising security awareness.
Existing programmes must deliver results. If this is not addressed, then employees quickly become disaffected with these initiatives and no real change is realised, leading to business leaders becoming impatient as their time and effort are seeing little impact. To meet growing cyber threats and ensure security awareness is as effective as possible, our approach towards current initiatives should be fine-tuned. But we must make sure all initiatives go beyond just awareness. An approach towards cyber security that brings genuine behavioural change should be created. It’s paramount to creating long-lasting change.
Security awareness: what is it?
To improve security awareness within an organisation, we need to truly understand what it is and what it entails. Security awareness is a way for organisations to have a better understanding of human cyber risk, making employees aware of how their behaviours impact the cyber security of a business as a whole. When it is done right, it builds a culture of good security hygiene and helps to improve customer trust.
Where are businesses going wrong?
Many financial institutions recognise the importance of security awareness, but not all of them are witnessing tangible results from their efforts. This is predominantly due to the phrase ‘awareness’ being taken too literally. A durable security culture is constructed from legitimate behavioural change. This goes far beyond the border of just being aware of threats. Behavioural change provides employees with the tools they need to protect both themselves and their organisations.
Businesses will often use exercises and initiatives that set out to reduce cyber risk, though these are quickly forgotten after completion. The best forms of education do not solely involve telling employees what they need to do. The best forms of education require buy-in from both parties to make an impact. Security awareness initiatives have to extend beyond the standard tick-box training exercises – they must inspire change that is impactful and measurable.
What is an effective approach to improving security awareness?
There are methods that businesses can adopt to improve security awareness training among their employees.
Planning and personalisation are key. Businesses must be clear on who the programme will be aimed at, the exact plans for delivery, and what areas need to be covered given the specific needs of the organisation. For example, the financial service sector has been particularly susceptible to ransomware attacks for some time. This research should not be done on the spur of the moment, only to not be revisited. Cyber threats are evolving continuously, so the methods businesses choose to ward it off should evolve just as frequently too.
This same mindset is needed regarding security awareness in general. Training is quickly forgotten if it is only delivered as a one-off event. Taking this into account, an effective way to combat forgotten training is through the use of behaviour. Behavioural nudges and the setting of regular goals tailored to each individual is key. Organisations can then ensure employees are in the loop with the latest threats and that they are frequently learning behaviour that in time, will help them to mitigate threats regularly.
Data is the master key to unlocking insights on behaviour to create training such as tailored goals and behavioural nudges. If an organisation cannot measure the progress of its security awareness initiative, then it won’t be able to identify clear-cut change. Metrics help set what measures will have the most impact at the start of a campaign. Metrics also guarantee campaigns deliver on their promise.
Throw away the blame game
To ensure these measures are a success, businesses have to discard the blame game that often accompanies cyber security initiatives at its heel. People should not be seen as the weakest link. They are, the first line of defence against cyber crime, often standing eye to eye with cyber criminals.
As a result, businesses must do what they can to ensure employees are well equipped to fend off and avert these online attacks. They should also encourage a supportive culture and environment. A supportive culture, tailored goals and clear metrics are the blueprint to building a top-notch security awareness that is set to guarantee genuine behavioural change.