How to Strengthen Your Cyber Security Culture
Cyber-attacks like ransomware are more successful now than ever before, even though companies invest heavily in internal defense measures.
This trend, plus the fact 90% of all successful cyber-attacks start with human error, makes it more important than ever to focus on the human factor of cyber security. This requires more than the ‘classic’ awareness training.
***
This article is a guest post written by Andreas Wuchner, a cyber security and risk expert.
***
Cyber security isn’t just about technology
In recent years, the investment in IT security has been significant. The focus has almost always been on technology. Despite all this investment, the number of successful cyber attacks has increased.
Related article: Prepare and Protect: Cyber Security Best Practices When Working From Home
As a result, cyber insurance is becoming more and more expensive because the number of claims and, above all, the amount of damages, are increasing.
One reason for these successful attacks, despite all the technology, is that most companies neglect the human factor: Technology is used and operated by people.
The technology calculation only works if:
- The user is trained.
- The user assumes responsibility.
- The organization has established the appropriate culture.
The Cybercrime Threat Response Report of Interpol shows a significant increase in ransomware attacks against computer and mobile users, companies, and organizations of all kinds.
Such attacks are successful because users simply click to activate the ransomware and existing technical solutions have clear limitations.
At the same time, simple awareness training with computer-based tests combined with phishing simulations are not enough to prevent such attacks. This approach helps companies demonstrate compliance on paper – but it does not bring any real security gain nor does it anchor a security culture in the company and among employees.
Put people at the center of your cyber security strategy
An end-to-end consideration of all factors that form the basis of why we do what we do, and why we decide to do something, drives the concept of a focused cybersecurity culture.
Knowledge, attitudes, assumptions, values, and pressures are all part of the equation.
It is people that make an organization secure, not the technology.
It is the combination of the human plus the technology that can create the strongest defense. As we have seen, technology can only do so much – it is mostly users who fall for targeted cyber-attacks. This means employees are often seen as the weakest link in the chain, but in reality, they can be the strongest defense mechanism (if educated well).
For this reason, it is fundamentally important to create an environment where employees and users are well trained and feel secure in dealing with digital media – both in the company and in private.
Build on existing strengths
What users need is a cyber security platform that allows companies to approach the issue holistically.
Once the existing corporate culture has been analyzed and understood, your chosen cyber security platform needs to build on existing strengths with targeted measures. This, along with the influencing of routines and the creation of a link between private and business dealings with electronic media, will provide a strong and holistic cyber security strategy.
Cloud-based platforms are best as they can be accessed from anywhere.
Access should also be available on the go on any mobile device and in a mobile app.
Because learning has long ceased to take place only in the office, modern solutions must allow users to find answers to current questions when they need them, at any time, and wherever they are.
Trained employees, customers and partners who feel safe but also have the necessary skills and support at hand, move an organization forward. Confidence and self-assurance in one’s own abilities make the difference, and this is no different in private life.
In this context, one often reads the term “cyber hygiene”, which describes very well what is at stake here.
Once the secure handling of digital media and end devices has become standard, an organization can concentrate on the essentials of its business. This supports the digital transformation capability of any company.
Employees are an essential part of the solution.
For this transformation to succeed, behavioral change is needed.
To achieve this, one has to look more closely at and understand the interplay of ability/knowledge, motivation, and the environmental variables such as values and pressure.
This is the only way to actively support each employee.
Choosing a cyber security platform
With this information in mind, your chosen platform should be built around three clear pillars:
- The psychology of change
- The platform should take into account insights and best practices from the world of psychology for behavior change.
- Science-backed
- The platform should be scientifically evaluated to know what works in behavior change (and why).
- People-centered
- So that staff are both productive and safe at work, your chosen platform should be centered around the people who will use it.
Behavior change is challenging for all of us. We humans are creatures of habits and influencing our behavior, let alone changing it, is difficult and complex.
Most “training and awareness” tools on the market only focus on imparting knowledge. Oftentimes, organizations know their cyber security culture needs to improve, yet they haven’t implemented any sort of formal process to make this change a lasting one.
Therefore, traditional tools fail time and time again. They may achieve compliance and a sense of measurability, but human understanding and culture change is not created this way. One cannot say with confidence whether the resources invested in such campaigns have generated any value at all.
CybSafe – Understand people. Prevent security incidents
CybSafe is a people-centered cyber security platform that focuses on three key areas of cyber security that allow users to find answers to current cybersecurity questions at any time and any place. This way, the answers are there when employees need them and not when training schedules dictate.
The three key areas are:
- Protect
- Assist
- Learn
1 Protect: Cybersecurity
Users get access to knowledge and tips in daily life with a focus on sharpening daily behavior patterns and raising awareness of their own behavior by setting personal goals.
2 Assist: Get the needed help
This function provides users with answers and help whenever it’s needed. In addition to practical tips and technical help, it also offers further background information or explains what to do if an employee has done something wrong.
3 Learn: Create and expand awareness
Individual role-based modules create awareness and interest in the topic. Not simple learning, but daily life situations at home and in the office create “aha-moments” again and again.
CybSafe is based on a scientific approach and on the COM-B model of behavior change. This approach is fundamentally new and addresses the root causes and not the symptoms. Boring learning driven by compliance requirements was yesterday.