How much can companies rely on their people to not be a source of vulnerability in the face of increasing attacks on corporate information?
Consider the recent “social experiment” conducted by US-based computer trade association CompTIA, involving apparently discarded USB sticks that were found and plugged into computers by 200 people. Almost 20% of those people opened up files on the memory sticks and clicked links.
While this was merely an experiment and not a live attack, it highlights the continuing naivety and misplaced trust many people have in using technology and the consequences of their actions that can compromise computer systems and the valuable information they contain.
Unfortunately, most companies are still a long way from understanding how the ways their staff use technology can negatively impact their business and operations. As Verizon reported in its 2015 Annual Data Breach Report, 90% of all successful cyber-attacks succeed because of human error. This situation won’t improve until organizations recognize that their greatest vulnerability to attack is their people and that effective and engaging awareness learning for all staff represents one of their most critical security controls.
Sadly, according to CompTIA's research, 45% of US employees get no cybersecurity training and even then it’s “cursory”. Typically, the responsibility for security awareness learning sits with the IT team and while they understand what staff shouldn’t be doing, they don’t necessarily know how people learn most effectively. An annual piece of e-learning isn’t enough; it needs to be immersive, engaging and tap into people’s fundamental behaviour with technology.
This appears to be even more critical with the young workforce who are apparently the most careless about cyber security. While they have grown up as digital natives, they seem more willing to embrace its opportunities than acknowledge its accompanying risks. Millennials and other staff may look to the IT department for protection but, when looking for cyber vulnerability, the attackers are looking at them!
And – at the other end of the scale – despite the number of high profile cyber breaches in corporate America, the C-suite has been slow to respond. Yes, things are changing, but boardrooms still suffer from a lack of high quality information about cyber vulnerability in their companies. There also appears to be a lack of cyber security capability at the highest level: the recent IT Governance ‘Boardroom Cyber Watch Report’ found that 30% of respondents identified their boards as “lack[ing] the knowledge and qualifications to exercise effective governance in this area”.
So, where should companies start to address the cyber risk posed by their employee behaviour?
First, organizations need to pinpoint what information and capabilities are most critical to protect and understand what their greatest vulnerabilities are. Then, they need to consider a new approach to a company-wide programme to raise employee awareness and confidence in how to identify and respond more effectively to both cyber-attacks and simple lapses of concentration.
This new approach must include:
- Ongoing, short, regular learning that has minimal business impact
- Adaptive and personalized content
- Engaging, competitive and fun content for effective learning
- Measurable outcomes based on skills and knowledge improvement.
And in adopting this new approach, organizations will be building their capability to:
- Reduce the risk of a successful and damaging cyber-attack
- Have an effective, efficient and consistent delivery mechanism and security control
- Have an effective cyber control that addresses people-based cyber risk.
This is all about driving new, more cyber resilient behaviours across all your people. It will represent one of the most effective ways to manage your cyber risks if you do it well.
See our RESILIA™ section for more information about cyber resilience.
Read more AXELOS Blog Posts from Nick Wilding
Cyber resilience: How important is your reputation? How effective are your people?
21st century cyber awareness for a 21st century threat
A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 2
A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 1
Cyber Resilience: it’s all about behaviours - Digital Leaders Conference presentation
Cyber Resilience: We need to TalkTalk
Cyber Resilience: developing a new language for all
Looking for Business Leaders in the Cyber Resilience Race