Protecting data is one of the most valuable commodities in the 21st century. While information security may seem like a task dedicated to IT professionals, staff play a critical role in ensuring the company or employee data is secure and protected from any manipulation, inspection or destruction.
Historically, many information security awareness programs have been provided to just “tick a box,” and, as a result, the staff treat it as yet another administrative exercise. They rush through the questions to get back to their day-to-day job, only to revisit it the next year. However, as technology evolves, cyber threat actors continue to transform their tactics by taking advantage of human error, ignorance and deception. We need to find a way to engage with our staff and actually change their behavior – not just their knowledge.
In addition to this, the COVID-19 crisis has forced businesses to operate remotely, thereby placing the organization’s sensitive information at greater risk. A Gartner survey suggests that 80% of company leaders plan to allow employees to work at least part of the time remotely after the pandemic, while 47% will allow employees to work from home full-time. A PWC Survey found that 78% of CEOs agree that remote collaboration is here to stay for the long term.
Therefore, as companies move towards long-term remote or hybrid work arrangements, the need for advanced controls to protect, detect, respond and recover from a cyber-attack or data breach is greater now more than ever before. So how can employers cultivate a security culture in their organization?
- Make security personal: Employees are the frontline of defense against cyber-attacks and malicious actors. Companies need to make security personal by encouraging staff to think about protecting themselves and their families, not just the firm, from a cyber-attack. To help with this, organizations should develop innovative programs and think outside the box so that they can help foster a sense of responsibility towards cyber-attacks among their staff members. For example, companies could engage with a children’s charity and have ‘lunch and learn’ sessions with the staff on talking to their kids about social media and online threats.
- Introduce security awareness programs: According to IBM Security’s 2020 “Cost of a Data Breach Report,” having a remote workforce was found to increase the average total cost of a data breach by $137,000, for a total global average cost of $3.86 million in 2020. Hackers can spend months trying to reconnoiter and then compromise their targets. In return, they are happy to spend thousands of dollars in advanced IT Control but refrain from investing money in an impactful awareness program. Therefore, employers must treat information security awareness training as a prerequisite to changing behavior and invest in security awareness programs that benefit their employees professionally and personally.
- Teach the lesson of cause and effect: Providing an interactive environment to learn about information security can go a long way in ensuring employees take the training program seriously. If the staff is exposed to the financial and reputational costs of cyber-threats, it can help them recognize the link between their action and outcome. The aim of such initiatives should be to change staff’s behavior, not to close an audit point or to tick a box.
- Educate your staff on some of the techniques used by cyber-criminals: This includes not the technical details of a hack or exploit, but how stolen personal data, often harvested from social media sites, can be used to trick or “socially engineer” people into clicking on a malicious link or visiting a malicious email. Provide advice on locking down social media accounts and not sharing personal data outside people they actually know.
Nowadays, attackers use various tools and techniques to profile employees of the company they would like to target. Therefore, internet security has become a priority as more companies explore API integrations, creating another point of potential security short for those caught unaware. Those who haven’t recognized this yet, need to make this a business precedent and educate its staff to be part of the solution – not the problem.
David Cripps Chief Information Security Officer , Moneycorp