Cybersecurity issues have dominated 2021. Ransomware attacks and data breaches are in the news almost daily, with all manner of businesses and institutions, from large corporations to schools, being affected.
The threat shows little sign of dissipating, with attacks growing both in scale and sophistication. CybSafe’s recent analysis of ICO data found that ransomware attacks on UK organizations doubled in the first half of 2021. For every ransomware gang that is subdued, another soon takes its place.
In the face of this growing threat, businesses are pouring more time and resources into cybersecurity initiatives and training programs. Despite this, new research from CybSafe and the National Cybersecurity Alliance found that 64% of participants still do not have access to any cybersecurity advice or training. Even for those who do receive training, many find the initiatives to be of little to no worth, with 27% saying they did not see the benefits of using the training they have access to.
Improving security awareness is not just a case of increasing the number of initiatives; we also need to ensure existing programs deliver results. If this is not addressed, employees quickly become disaffected with these initiatives, and no real change is realized. This leads to business leaders becoming impatient as their time and efforts are seeing little impact. To meet growing cyber threats and make security awareness more effective, we not only need to perfect our approach towards current initiatives but also go beyond just awareness and create an approach towards cybersecurity that brings genuine behavioral change.
What is Security Awareness?
To perfect security awareness, we need to have a shared understanding of what it entails. Away from the hype, it’s a way for organizations to understand human cyber risk better, making employees aware of how individual behaviors impact the cybersecurity of a business as a whole. When done right, it not only creates a culture where good security hygiene is built-in and naturally fostered but also helps improve customer trust and ultimately employee motivation and well-being, as a result of increased confidence.
Where are Organizations Falling Short?
Most organizations now recognize the importance of security awareness, but not all see tangible results from their endeavors. More often than not, this is because people take the phrase ‘awareness’ too literally. Building a resilient security culture requires genuine behavioral change beyond just being aware of threats and provides employees with the tools they need to protect themselves and their organizations.
Often, businesses turn to exercises and initiatives that set out to reduce cyber-risk but are forgotten as soon as they have been completed. The best forms of education do not solely involve telling employees what they need to know and leaving it at that; it requires a buy-in from both parties to make an impact. Security awareness initiatives need to go beyond box-ticking exercises and inspire impactful and measurable change.
A More Effective Approach to Security Awareness Training
There are a few ways organizations can improve security awareness among their employees.
Planning and personalization can go a long way to address this discrepancy. Before any initiative is implemented, a business needs to be clear who the program will be aimed at, the exact plans for delivery, and what areas need to be covered, given the specific needs of the organization. For example, some industries such as financial services and education are particularly susceptible to phishing attacks. This research should not just be a one-off; cyber-threats are evolving continuously, and as different methods of attack rise and fall in popularity, so too should the areas a business opts to focus on.
This same mindset is needed for our approach towards security awareness in general. Training is forgotten if it is only delivered as a one-off event and, given the shifting nature of the cybersecurity landscape, will also quickly become outdated. By using behavioral nudges and setting regular goals specific to each individual, organizations can ensure employees are both up to date with the latest threats and learn behaviors that can help mitigate them over time.
Data is the key to achieving this. If an organization cannot measure the progress of its security awareness initiative, then there is no way to tell whether a tangible change has been achieved. Metrics help set what measures will have the most impact at the beginning of a campaign and ensure they deliver on their promise.
Scrap the Blame Culture
For these measures to succeed, businesses need to move away from the blame culture that can often accompany cybersecurity initiatives. Instead of viewing people as the weakest link, they should be considered the first line of defense against cyber-threats. A more supportive culture keeps everyone on side and improves how security awareness initiatives are adopted. With this as the foundation, coupled with clear metrics and an individualized approach, organizations can turn security awareness from a buzzword into a vehicle for genuine behavioral change.