Historically, cybersecurity has been perceived as a technology problem and so, businesses have always passed the cybersecurity responsibility to technology teams. These teams naturally turn to technology tools to solve security problems. But here’s the thing: cybersecurity is not a technology problem, it’s a business problem.
What’s more, most cyber-attacks have nothing to do with technology per se. What began as spam has evolved to phishing attacks, and these have grown in sophistication. These scams use social engineering techniques to play on human emotions and trick people into doing things they shouldn't, like clicking a malicious link or revealing personal information.
The Growing Importance Of A People-focused Defense
Hackers are ROI-focused. They want to smash and grab whatever they can and move on to the next victim. Why spend days, weeks and months analyzing victim environments, searching for vulnerabilities, and looking for blind spots in cybersecurity defenses, when adversaries can simply walk through the front door? This is exactly what’s currently happening in cyber.
As much as 74% of attacks can be traced to social engineering, stolen credentials and privilege misuse because it’s much easier to hack a person and infiltrate an organization rather than breaching cybersecurity defenses. This hasn’t been the case historically because early computer systems were less immune from internet-based attacks and poorly equipped with native cybersecurity defenses.
Six Tips for Building a People-focused Security Strategy
In general, we are creatures of habit and can end up being predictable in our thought processes and behavioral patterns; such habits cannot change overnight to prop up security defenses. It needs time and a consistent long-term strategy. Here are ten tips that can help boost the people side of security:
1. Focus on behavior: Organizations deliver annual training and believe it’s adequate for making employees responsible and cybersecurity aware. Awareness and behavior are not equal: roads will post speed limits, but we often break those rules. Focus on training exercises that alter behavior instead. For instance, running bi-weekly phishing simulation exercises can help employees build responsive muscle-memory in identifying, blocking, and reporting phishing messages.
2. Position security alongside business strategy: Cybersecurity is often considered a low priority because employees have more important things to do. If leaders change the narrative around cybersecurity, show how it can avoid serious business disruption, boost customer trust and confidence, and increase the bottom line, then chances are that employees will see cybersecurity in a more consequential light.
3. Practice empathy: We each have different levels of skills and security maturity; different attitudes towards cybersecurity. It’s important that organizations acknowledge these differences and practice empathy and patience while coaching employees. Avoid being arrogant, punitive and fear-focused as this is known to create a toxic environment. On the contrary, create a supportive culture where workers are not afraid to report a breach or social engineering scam, or ask questions.
4. Use storytelling to sell your purpose: It’s important the employees understand that cybersecurity is a positive, something that helps the business thrive. Use analogies and anecdotes to make your training content more digestible and relatable. Leverage current events and news stories (such as ransomware victims) to educate and advocate security but refrain from using scare tactics.
5. Make it fun and interesting: Cybersecurity doesn’t have to be a serious thing. It can be an interesting way to build fun, rapport and engagement amongst employees. Use gamification tools and methods, run contests, offer freebies, recognize people for their efforts and support. Such types of activities can not only motivate people more, but it can also alter the attitude and mind-set towards cybersecurity.
6. Use advocates and influencers: Culture is contagious. Find leaders from within, people that are influential and enjoy a certain level of trust in the company. Leverage their clout to unify the team and influence their security mindset. A positive security culture can accelerate people-focused security outcomes dramatically.
While technology-based security controls are important and should be deployed, solely relying on them may not always be sufficient at preventing security breaches. Therefore, people-focused security measures have become crucial.
By providing thorough training to employees, organizations can instill a strong commitment to security in their workforce. Cultivating security intuition among employees acts as an additional layer of defense, compensating for potential shortcomings in technology-based controls. With well-trained employees who prioritize security, organizations can strengthen their overall security posture.
Ani Banerjee is Chief Human Resources Officer for KnowBe4, responsible for HR operations across 11 countries and developing new initiatives to enhance the company's organizational culture, recruitment channels, and diversity, equity, and inclusion strategies. He has 30 years' experience in global HR leadership roles working for VMware, Dell, Yahoo, and AOL.
Email: [email protected]