A CISO’s job is highly demanding. They’re directly responsible for their organization’s cyber security and, among other challenges, have to prevent employees from unknowingly aiding hackers to penetrate the organization.
In our daily conversations with CISOs, we’ve noticed that when it comes to behavioral cyber security, the same five challenges keep coming up. In this post, we address these challenges and suggest the best ways of tackling them.
Challenge No.1: Our employees make cyber behavior mistakes unintentionally. We want them to be more involved in preventing this.
How to make them more engaged:
Solution No.1: Peer-to-Peer learning.
Creating an environment in which employees discuss, interact with, and learn from each other will inspire them to follow good examples and adopt positive cyber security habits.
This can be done in the form of chatbots, peer groups on platforms such as slack, private social media groups, internal wikis, etc. The idea is to generate a healthy and fruitful discussion. In order to kickstart the conversation, assign a few trusted team members who can share their own thoughts and act as role models (role models will have an extra benefit – people mimic individuals around them, be it consciously or subconsciously).
Solution No.2: Empower with resources and track comprehension.
Make sure to provide your employees with relevant cyber behavior security resources they can access at their own time and pace, without any pressure. Combine this theoretical knowledge with practical employee activity tracking.
Offer support and education based on employee roles and responsibilities. Deliver relevant content with data-driven personalization that overtime zeroes in on what lessons each employee needs.
Measure and understand people’s knowledge, understanding, and confidence.
Solution No.3: Simplicity is key.
Traditional security awareness solutions may be too complex, long, boring, or simply not relevant enough. Instead of overwhelming your employees, offer them quick, applicable tips. Break content into frequent and engaging bites and weave them into their daily routines exactly when and where they need it most. This will allow them to retain information longer and more effectively.
Solution No.4: Listen to your employees and adjust in accordance with their needs.
Lead with their priorities instead of yours. Develop a training program that is relevant to them, interactive, updated, clear, and stimulating. Engage them through well-established techniques such as personalized interactions, gamification, informative and engaging videos, and contextual intervention.
Do this consistently and don’t shift to cruise control. Make sure to communicate and ask for feedback
Challenge No.2: Changing behaviors requires knowledge and soft skills beyond us. We’re tech guys.
How to shift mindsets:
Solution No.1: Behavioral psychology is your best friend.
Use insights and best practices in psychology to design your approach and successfully drive change in employees’ cyber behavior, such as positive reinforcement. This will help employees clearly understand the consequences of poor cyber decisions, but also the benefits of proper cyber behavior.
Solution No.2: Contextual training.
Identify unique teachable moments for every employee and deliver short, easily digested lessons for each of these moments. For instance, train your employees based on their real-life actions; If the employee tends to forget their password (i.e. they send too many forget my password requests), then offer them safe password training (e.g. explaining the use of password manager, and the like). If they often visit unsafe websites, offer them training on safe browsing.
Solution No.3: Scientific evaluation.
Understand what works in changing cyber behavior and why. The factors that affect people’s behavior can be categorized into three groups:
social
environmental
personal