If there’s one thing that’s true about our era, it’s that cybercrime is rampant. To illustrate, let me hit you with just one shocking statistic. Ransomware cost organizations more than $20 billion in the last year alone, and that’s just one category in the sea of versatile cybercrime methods.
How is this possible?
The good and bad news is that more often than not, the answer is simply – human error. As such, 95% of all cybersecurity breaches are due to a human factor.
Sad but true.
People are prone to behaving in a way that makes them an easy target for cybercrooks who deploy diverse social engineering and other methods to hack organizations. Not just that, but the increasing popularity of remote work has complicated things even further and increased the risks all the more. So, how do organizations deal with this? They try to reduce the threat of the employees’ risky behaviors, by using security awareness tools and methods aimed to change employee cyber behavior. In fact, some countries even have laws mandating security awareness training in certain industries.
But these attempts just don’t cut it anymore and to be honest, it’s difficult to say if they ever have. Reducing the human attack surface by changing your employee’s cyber behavior requires a platform with different capabilities than old-school security awareness tools.
So why traditional methods leave you exposed?
Traditional methods don’t work anymore because they rely on these outdated best practices:
1. Out-of-context training
Cyber-criminals have diversified their activities and adapted to most of the existing practices. So, many traditional security awareness tools fail to keep up with the times and take into account the growing and ever-changing landscape of cybercrime. Just take a look at this list of tasks expected from employees (that is far from being limited to):
- Verifying spear phishing emails from hundreds of daily emails
- Keep a strong password and change it frequently
- Safe browsing in the internet
- Securely disposing of confidential document
- Prevent credentials from being stolen
- Avoid downloading malwares
- Read and approve security policy
- Cover their Webcams while not using
- Lock their screen when they take coffee brake
- And many more….
And your employees need to be top performers in each of them.
Intervening in the right context also means understanding the challenges and nature of your employees’ work, so you can tailor their training accordingly. For example, instead of sending a “how to securely handle files“ on security training to everyone, send information relevant to specific departments. So the finance department, which mostly uses Excel files, doesn’t need to receive information about other files, like PowerPoint and Adobe Photoshop, which they most likely don’t use. This also shows care about your employees on a more personal level, rather than just throwing irrelevant security policies at them.
2. One-size-fits-all approach
Traditional tools also focus on blanket training methods or the one-size-fits-all approach for all categories of organizations, departments, and employees. Changing cyber behavior requires the cooperation of both you and your employees. The moment they realize that your content, training, and messaging are not relevant to them, they will tune out and you will lose their cooperation. You may think that this approach is cost-effective at first glance, but it’s ultimately inefficient as it fails to account for the diversity or scope of the business, all of its divisions, different roles, demographics, cyber behavior, and understanding and practice speed.
To successfully fight off cyber behavioral threats, every single employee has to be properly engaged in the effort in a way that’s personalized for them, which is not in the core of these tools.
And when the approach is not personalized, it can create negativity about the whole process.
For example, training materials that are suitable for an IT employee won’t have the same effect on an accountant. Also, younger employees may respond better to instant messaging, while older employees fare better with videos or short training.
3. Learning only from a textbook can’t influence cyber behavior
Imagine you learned to drive just by studying the driving manual, without any practical experience. You wouldn’t be a very good driver, would you?
Yes, you might know all the car parts and traffic rules, but you wouldn’t know how to react in a real-time situation you have no experience in. In the same way, traditional training methods like long and out of context training, policies, and video alone, without real-life practice, aren’t effective in changing cyber behavior. And it makes sense. You can’t argue with that. You can’t expect your team to view all the content you throw at them. And even if they do, it’s not realistic to assume they’ve absorbed the knowledge efficiently and are ready to deal with whatever comes at them.
Also, the traditional passing of theoretical knowledge about information security may be powerless against cognitive biases that affect the employees’ behavior in the workplace and lead to cyber-risks. Simply put, you may teach them all about proper security habits, strong passwords, how to spot red flags in emails and websites, and so on. But, the unconscious and systematic errors in thinking may cause them to fail to apply this knowledge in practice.
Human behavior patterns are hard to break.
4. Lack of immediate feedback
Another problem with traditional tools is the lack of proper immediate feedback from the field. Your organization requires immediate, real-time feedback so it can deploy the best possible mitigation measures without delay, as soon as the problematic cyber behavior is discovered. On top of that, changing cyber behavior is more effective when feedback is immediate and in real-time as opposed to, say, a month later. So, the intervention must be immediate and related to the action that triggers it. Traditional tools often require significant human effort to carry out in-depth behavior analysis, which may take days or weeks. The process can be sped up but usually at the expense of quality.
In the behavioral change sphere, not having quality feedback or receiving it after a while can make a difference for the worse.
5. Not tracking the right metrics
Measuring employee behavior requires a massive amount of data and the use of advanced behavioral algorithms based on machine learning that goes beyond collecting click rates in phishing simulation or completion of safe browsing training. What gets measured, gets done – is the proverb that applies in many business contexts, but even more so in cyber behavioral change. The thing is that tracking the right amount of context-specific metrics is often easier said than done. Especially because security awareness is all about people’s behaviors. Here’s what the main problem is: measuring security behavior is usually carried out by assessing knowledge. But, as we said before, actual behavior on the ground doesn’t necessarily reflect knowledge.
Employees may be aware that weak passwords are a liability, yet continue using them due to optimism bias (thinking bad things only happen to someone else). They may also overestimate their abilities (the Dunning-Kruger effect) to recognize a phishing attack and thus become the victim of one, despite knowing all the warning signs by heart. Not to mention that many of the metrics you retrieve are only significant when interpreted in contrast to other metrics.
For example, observing the use of antivirus software or the speed of following suspicious email links alone don’t give much information about the general employee cyber behavior. Or just because your employee uses sophisticated passwords, doesn’t mean they have a high level of behavioral cyber awareness. On top of that, many measurements fail to account for the individuality of each employee and their level of agreement or disagreement with the security policies of your company. This is an important factor when wanting to change behavior and especially cyber behavior. How they feel matters. And you also have to pick your battles when trying to change cyber behavior.
Your employees engage in dozens of daily cyber behaviors, but they’re not all equally dangerous. Setting the right priority begins with measuring the risks that matter to your organization.
Get (and stay) ahead of the cyber bandits
Here’s the bottom line you have to consider.
All of the above shortcomings and cybercriminals becoming more cunning with each new day, mean that traditional security awareness tools no longer do the trick. And a new approach is necessary if organizations are to ever stand a chance. The solutions deployed in this new approach would have to be proactive, self-learning platforms that factor in diversities, each employee’s cyber behavior, the changing cybersecurity atmosphere (new types of attacks), detailed big data analytics, and the effectiveness of contextual behavioral change process.
This is the only way to accomplish a complete, thorough, and efficient cyber behavioral process for your organization and minimize your employees’ cybersecurity mistakes.
