Today's columnist, Charaka Goonatilake of Panaseer writes about how companies must create a security culture to better protect the organization from human error, which the Verizon data breach report points out is one of the leading causes of cyberattacks. https://www.flickr.com/photos/[email protected];https://creativecommons.org/licenses/by-nc-nd/2.0/legalcode

For several years cyber awareness was considered a regulation-required, tick-box exercise of secondary importance. It often felt like a chore—or worse, an activity that got in the way of people doing their day jobs. However, the “human element” has become a real and growing area of cyber risk – and that’s why we need to get it into the spotlight and ensure that cultivating a cyber awareness culture becomes a strategic priority.

Look at the numbers. Some studies trace 90% of cyberattacks to human error. Last year, Verizon’s data breaches report showed that human error was the only factor with year-over-year increases in reported incidents. The average cost of a data breach from human error now stands at $3.33 million, according to IBM’s Cost of a Data Breach Report 2020.

Care about cyber culture

Organizations really have to start caring about cybersecurity. Users are stereotypically viewed as the source of problems. We need to flip this view.  When people are transformed and empowered to become an asset, rather than a liability, they can effectively start acting as the first line of defense.

Most people truly do care about the security of their customers and companies, and most accidents are just that. Moving from a culture of fear, blame, or repercussions to one of accountability and honesty can do wonders. Encourage people to report odd emails, even if they’ve opened or replied to them. Companies can drastically change their security cultures by showing that mistakes are made and that it's not the end of the world.

If users view cybersecurity measures and policies as cumbersome because they get in the way of their day job, they clearly aren’t incentivized to become part of the solution. Engage and educate people in a positive manner – and make it relevant to them. After all, most people want to help and few want to cause a costly breach or security incident. Tapping into this personal element will get them on your side.

Identifying the people who “get” and care about cybersecurity. These people may have had incidents in their homelife, so they understand the severity and repercussions. They can become advocates and channeled to work as cyber champions – engaging their teams and fostering an awareness culture. Gamify their work with a “wall of fame” for the teams that are working hardest to keep the company safe.

Move to measurement

Not all regulations require a security awareness element. I consider this a hangover from when cyber awareness was viewed as a secondary aspect of security. Looking ahead, regulators will need to change their line of questioning to factor this in, and not just from a tick-box perspective. For example, it’s not good enough to ask if staff have done their cyber training, we’ll need to measure and show evidence of how effective the training has been.

There’s also an important difference between measuring security awareness and measuring security culture. By giving staff a questionnaire, the company can get a temperature check on security awareness. However, measuring security culture requires checking that the situation has improved and people are becoming increasingly engaged, getting more questions right and answering them faster.

Culture goes beyond just answering more questions correctly in the questionnaires – it’s about changing the behaviors and habits so that good security practices become ingrained in the day-to-day working life. Security becomes pervasive in how the business operates.

Get the full picture

SANS 2021 Security Awareness Report outlines that it has never been more important to effectively create and maintain a cyber secure workforce and a vibrant security culture. More than 75% of security awareness professionals spend less than half their time on security awareness. This implies that security pros only work on awareness part-time. Dan DeBeaubien, SANS Security Awareness Director says: “while security awareness programs are gaining executive support, there’s still a long way to go before enough personnel, resources and tools are allocated to this effort.”

Of course, meaningful insight requires the right insight and data. After all, without having visibility of people, policies and data, the company won’t know if all new joiners have enrolled in mandatory training. How often have they clicked, compared to people who have been with the organization for 10 years?  Do people with longer tenures click more or less? Which departments click the most? Do managing directors click more or less than entry-level employees? Are there repeat offenders and high-risk administrators failing phishing tests that could provide attackers with elevated privileges?

Answering these kinds of questions delivers much more meaningful insight than just looking at the number of clicks or auto-locks in isolation. Use these answers to adjust the company’s training accordingly. Then overlay this information to get real understanding, value, and insight into the organization’s cyber awareness culture.

Charaka Goonatilake, chief technology officer, Panaseer