The best way to stop people-centric security attacks is to create a people-centric security awareness culture. Here is how to do just that.
A great business is built upon great people: an organisation depends on having staff they can rely on, who do a good job, and who can be trusted. People make a business tick, but they can also make it fall. Cybercriminals are people-centric too.
In 85% of cyber attacks, a human being is needed to perform some action to the benefit of the attacker: this may be a click of a link in an email; the download of an infected attachment; entering login and password credentials to a spoof website; or something similar.
What Exactly is a People-Centric Security Awareness Culture?
The statistics speak for themselves, human behaviour is open to manipulation and the result is ransomware, data breaches, and general IT and business damage and disruption. In 91% of cases, a cyber attack begins with a phishing email, according to a report from Deloitte. Social engineering-based cyber attacks, of which phishing is an example, increased by 270% in 2021.
A MetaCompliance post “Social Engineering: Hacking the Human” explored the deep-rooted aspects of human behaviour that cybercriminals take advantage of. It is the breaking down of poor security behaviours to turn them into positive security behaviours that drive a people-centric security awareness culture: people are the focus of cybercriminals, and in turn, they are the best way to tackle cyber-attacks.
Empowering employees with cyber security scam know-how builds a security-first mindset in the people on the front line of attacks – our staff. By using the right approach in delivering and cultivating this security awareness, the result is the formation of a people-centric security awareness culture.
The Components of a People-Centric Security Awareness Culture
A culture is defined by the norms and behaviours that make up a group or a society. In other words, the term “culture” describes the way of life and the belief system that a group of people uses to create a sustainable society.
Typically, a culture will have woven into its matrix, systems that make life easier and more successful for the individuals within that society. An organisation, in the same way as a group, village, city, or country, can create a culture, as it too, is made up of individuals.
Good security practice requires a behaviour change in employees that benefits from baking these security behaviours into a culture: this is best achieved by ensuring that security becomes an intrinsic part of the overall corporate culture. However, awareness alone does not create this culture. Here are the components needed to create a people-centric security awareness culture:
Set Expectations
Set a baseline of expected security behaviours.
This baseline is established from understanding the current security posture of your organisation and what needs to be done to improve it. Various methods can be used to collect the data needed to establish the required baseline of good security behaviour. This includes quantitative metrics from running initial tests using phishing simulation programs and qualitative input from surveys and discussion groups.
This intelligence gathering exercise is then mapped to a Security Awareness Training program to deliver people-focused education. This mapping of known security behaviour weaknesses to the people in the workforce, helps to establish an effective and tailored program of education that can be used to influence behaviour across individuals, departments, and the entire organisation.
Delivered from this baseline, with a set of clear expectations, gives the workforce a pathway to follow that helps to establish the creation of a security-first culture.
- Establish your baseline of expected behaviour and use this to tailor your people-centric security awareness program.
Learn Socially
People want to be part of something bigger than themselves.
Cultures are built upon the backbone of human social interaction. Theories in cultural evolution offer explanations on how cultures develop. One of these theories concerns social learning: people learn best through observation of their peers and modeling of scenarios e.g., stories. Culture is born from people passing information, knowledge, and skills between each other.
Folktales are a great example of social learning often designed to change behaviour, e.g., don’t go into the forest alone, otherwise, the big bad wolf will eat you; many tales can be traced back across multiple world cultures over millennia. Learning about security awareness should be a cooperative venture with employees working together, learning socially, interactively, and engagingly.
Learning security awareness using social learning type scenarios, typically involves the use of games, interactive modules, and input from expert educators. The use of experts is associated with the concept of “prestige-biased social learning” in humans, which is known to help adults learn difficult concepts.
- Choose a cyber security awareness program that offers engaging content that incorporates personalised content and creates positive security behaviour that can be shared.
Sustain Positive Security Behaviour
Part of creating a successful people-centric security awareness culture is through effective persistence.
Sustaining positive security behaviour requires continued Security Awareness Training. There is a two-fold reason for regular training in security awareness. Firstly, regular training updates ensure that the changing threat landscape is reflected in the training packages. This is vital as cybercriminals are continuously changing their behaviour and tactics to trick employees more easily. Secondly, regular training keeps security at the forefront of the minds of employees and this helps to maintain the corporate security culture.
- Maintain a security culture by carrying out regular Security Awareness Training updates.
Value Input from Employees
Security is everyone’s responsibility; remove the blame from your culture.
A PwC study found that almost three-quarters of those surveyed were in fear of reprisal if they reported security issues. A culture of security can only persist if fear is removed from the equation. Don’t blame an employee who accidentally opens a phishing message and clicks on a malicious link. Instead, use it as a learning exercise.
Make sure that your employees know that they are part of the solution, not part of the problem. Make reporting of security incidents an intrinsic part of your wider people-centric security awareness culture. Give employees the tools to make reporting easy and part of their everyday work life. Show them how security reporting leads to better cyber security detection and prevention.
- Empower your staff with security incident reporting.
A people-centric security awareness culture is not created overnight. However, by putting the right structures in place, your organisation will quickly begin to see the development of persistent and positive, information security behaviours.