What Distinguishes Sustainable Security Awareness Campaigns
Cybersecurity is a hot topic that has penetrated the corners of our society. Regional newspapers regularly write about cyber attacks on local businesses, municipalities and authorities, and hospitals. IT security providers support companies and organisations with their solutions to protect themselves from cyber attacks and the loss of valuable data. Well-known bodies recommend a list of critical security controls (CSC) with which companies can effectively protect themselves against cyber attacks. The more such controls are implemented and in use, the better the company's line of defence.
In this context, the human factor is often seen as the most important, but also the weakest link in a holistic approach to security:
The human being is a gateway and thus also the ultimate line of defence that makes the difference.
Humans differ from other living beings or machines in their abilities to communicate and be creative, to think abstractly and critically. These aspects make cyber security an exciting challenge: because ultimately, cyber security is always a battle between humans. In sophisticated threats, attackers and defenders alike use their unique human capabilities to achieve their goals.
Are AI and automation replacing human skills?
So what about efforts to support humans through AI and automation? We read about "real-time autonomous protection" and "fully automated incident detection, investigation and resolution". But does this really apply to the functions of security products? And does it lead to the improvement of security operations?
There is still a big difference between real human consciousness and artificial simulation. AI is only as good as the model it is built on. AI and automation are at a disadvantage compared to humans because we humans are not determined or constrained by a model. We do the unpredictables and that is exactly what cyber security attackers do. "Humanity" is simply not yet (or may never be) replicable by artificial intelligence. We have yet to develop an effective cyber defence security tool that works without human intervention. The arguable bottom line is this: security tools cannot do what humans can do.
Technology should make people better, not replace them.
Security solutions need to help security teams do their jobs better on the human, process, and technology side. Technology and automation play important roles in this. By shifting the focus from technology to the security analyst, we can enable them to be true defender. Technology should make people better, not replace them - to win the battle against the attacker.
IT department and End Users - Not a Love Affair.
So far, we have looked at the human factor from the cybersecurity team's side. In the context of security awareness, however, we think first and foremost of the user. But both are important in a corporate security strategy: on the one hand the IT department and on the other hand the end user. This is not always a love affair. The question is always: how far must IT specifications go without restricting the freedom and productivity of the users too much? When we talk about cyber security awareness and cyber security culture in the company, we address the "soft" factors at the border between HR, IT and the workforce in addition to the "hard" technical solutions.
How successful are security awareness programs?
Many renowned institutes such as NIST (National Institute of Standards and Technology), Center for Internet Security (CIS), US Department of Homeland Security, also the BSI and Bitkom in Germany point out the significance and importance of such programs. Security awareness trainings have become an important part of cyber security in companies. The reasons and intentions have already been discussed.
But what does the track record really look like?
Too often, when security teams seek IT security awareness, they focus solely on training and education. Often, attack vectors and tactics are discussed in the context of people in IT or OT (operational technology). Behind this, influencing lasting behaviour change and a true culture of cyber security falls short.
Despite standards such as an ISO/IEC 27001 that mandate security awareness as part of a security program, security awareness training has often not achieved the desired results. This states, mutatis mutandis, that companies must be able to demonstrate these trainings and their compliance to auditors. And that is perhaps the issue. It does not answer the question of why and how. Many security teams offer security awareness training to employees in order to be able to tick the compliance checkbox, so the results are:
- passive participation,
- little fun, and
- many topics within a very short time.
IT security awareness methods often hardly take into account the interdependencies and attack chains, but rather individual attack vectors here and there.
While the purpose should be to bring about a lasting change in behaviour.
Involve the workforce!
Develop these security awareness programs with the involvement of the staff. They just want to do their job, not have their productivity or freedom restricted and often see cyber security as a nuisance.
Companies are beginning to realise that simply focusing on creating "security awareness" is not enough to permanently change behaviour. They need to focus on the people who take advantage of these programs. Employees in organisations with strong cyber security culture are trained, empowered and excited about their personal cyber security and that of their employer. That's why it's important to put the person at the center of cyber security rather than just delivering superficial training or throwing in a microlearning here and there.
The reality is that users often continue to write passwords in notebooks or store them electronically, or engage in suspicious emails and generally engage in many unsafe behaviours online. Furthermore, only 27% globally say they are aware of their current security policies, and 8% of them admit to ignoring or circumventing their security policies (Source: Forrester Analytics Business Technographics Workforce Survey, 2020).
Sustainable security awareness programs address hearts and minds
Take the following ideas to heart and learn from these approaches:
- Make sure that stakeholders are not only aware of the importance of IT security, but also understand why it is important. Without making a connection, no amount of training will change behaviour in the long run.
- Implementing holistic cyber security is a project. It has several design principles that demonstrate how to create a sustainable culture for cyber security.
- Successful security teams also approach a serious topic playfully with humour and fun, e.g. during a workshop.
- Use modern learning methods (micro-learning and nano-learning) and motivate users with short and concise content.
- Use experiential learning and gamification to create understanding.
- Everyone has a different perception of security and therefore a different sense of what is relevant to them. Educate your target audience on topics that are meaningful to them, such as personal cybersecurity at home, to engage them in the conversation.
- Humans learn through repetition. Our forgetting curve shows us how memory declines over time. This is why repetition of simple slogans is important.
- Create a fear-free space instead of publicly pillorying an employee for clicking the wrong link during your phishing training simulation.
In our following article, we look at why, despite security awareness programs, inadequate processes still prevent employees from creating a security culture, why passwords are a big problem and how the Zero Trust model can help.
Would you like to learn more about the contents of security awareness training? Read more here.
Image source: iStock