With Christmas approaching quickly and businesses focused on completing their end of year sales targets and projects, the holiday season often becomes a time that employees become so busy trying to answer every email and close out work before year-end, that they can easily click on a wrong link and end up falling victim to a cyberattack. Dani Michaux, EMA cyber leader, explains.

The world’s largest businesses are spending millions a year on cyber security infrastructure and yet are still falling prey to hackers. The reality is, whether you are a multinational with big IT budgets or an SME with less money to spend, the most important and cost-effective way to prevent cyberattacks remains addressing the human factor. Firewalls and associated technology have become increasingly essential to all businesses, but they cannot offer full protection. In fact, according to recent research by Stanford University, 88% of breaches generally include some element of human error. 

Why cyber security matters

The consequences of falling victim to cyber threats are serious. Simply clicking on a link from a malicious phishing email can ultimately lead to system outages for weeks or even months in some cases. Cyberattacks can lead to enormous monetary loss – not to mention the reputational damage associated with sensitive customer, employee or business information getting into the hands of hackers or even worse, becoming public. While some may think that the data they personally hold isn’t all that valuable, we have learned that information is always valuable to someone and is easily re-sold on the dark web. 

Treating cybersecurity as a 'one and done' issue won't cut it anymore.

Current practice

Many organisations address cyber security with their employees only once a year at a company-wide event or training day. While these events are valuable, the message presented often fades quickly and fails to make any meaningful and necessary change in employee behaviour. In the past, the approach to cybersecurity across most organisations was to treat it as a ‘one and done’ issue.

Such approaches won’t cut it anymore. A modern cyber security programme must project a consistent and persistent message that cyber security is an essential part of ‘how we do business’. Cyber security awareness needs to evolve from an annual event to an integral part of who a company is in order to ensure trust in the marketplace. 

Human firewalling

KPMG recently released a global report entitled ‘Human firewalling’. The report explores five key steps organisations should take to increase awareness and build an integrated, holistic approach to employee communication around cyber security. The five steps include:

  1. Taking advantage of the science behind adult learning techniques
  2. Using change management to reinforce behaviour
  3. Making training more engaging with innovative technology
  4. Personalising the experience to make it memorable
  5. Organising around a theme that’s communicated regularly

Human firewalling aims to move security awareness from being a conscious choice to an engrained habit. In other words, the message must reach the part of the brain where it becomes second nature. It needs to leverage the highly visible and vocal support of your C-suite and senior leadership, as they lead by example.

Striking an emotional chord is essential to landing the message with employees.

Engaging emotionally

Staff also need to be engaged at an emotional level. Cyber security awareness programmes need to inspire employees to become better digital citizens and improve their practices not only at work, but at home too, which has become increasingly important given most organisations have adopted work from home and hybrid models over the last two years.

Businesses should communicate not only why cyber security matters, but also what’s in it for them personally. Our natural instinct as humans is often to resist change, so striking an emotional chord is essential to landing the message with employees.

This isn’t as difficult as it may sound. There are simple and effective ways of getting the message through to your teams. Bulletins that are educational and stay on topic, making reference to timely or relevant examples, can be created and distributed monthly. Regular alerts should be sent out to remind employees to take certain actions such as changing their passwords or ensuring they are securing their IT equipment properly.

Organisations should also ensure that they are using their employees to drive the message home too. The development of cyber role models and digital trust champions and celebrating the success of your employees in protecting the business is key to human firewalling success.

Measuring success

It’s also important to measure that success. As you roll out your human firewalling programme, be sure to keep track of the number of suspicious emails being reported, the participation in any live events or training modules and the feedback of employees on the effectiveness of your communications.

If you are successfully enabling your employees to become human firewalls, the results should be easily visible. 

This article originally appeared in Business Plus magazine and is reproduced here with their kind permission.

Get in touch

If you're interested in understanding how human firewalling can work for your business, please contact Dani Michaux of our Cyber team. We'd be delighted to hear from you.