The challenge of managing cyber risks in the new reality, especially in the onset of this global pandemic, has become more complex and demanding. The enforcement of movement orders has forced employers to quickly identify new ways to operate and sustain business operations by enabling large number employees to work remotely.
The economic impact also forced business leaders to review and adjust not only operating budgets but also investment allocations. All of this is unfolding even as cyber-attacks are becoming more frequent and sophisticated with people’s fears, personal health and job security being exploited.
Many organizations are now racing to adopt new technologies and digitalize processes to improve productivity, reduce cost and increase competitive advantage. However, I’ve observed how companies tend to overlook the human risk factor in this accelerated technology transformation race.
The result is predictable: Organizations become more vulnerable to cyber criminals who engage increasingly sophisticated social engineering techniques that exploit their personnel’s behavior. One example can be found in the U.S. where a Russian man was caught and pled guilty for plotting to extort money from Tesla by offering an employee USD 1million to place ransomware in Tesla’s IT network.
This example had a happy ending, but it’s unfortunately an exception. More often than not, cyber incidents cause prolonged distress with significant losses in finance, customer trust and brand reputation.
In the cyber world, the human risk factor is a crucial element in any cyber security program. As the saying goes, you are only as strong as your weakest link. Think of your personnel as a human firewall that can prevent (or enable) a cyber incident with far reaching consequences.
A recent research into strategic priorities for CISOs in 2021 found that instilling a cyber security culture through effective communications and training is ranked at the top by more than 2,000 cyber decision makers across the Asia Pacific region.
As cyber-attacks and tools get more elaborate, it’s obvious that traditional training and awareness campaigns are no longer sufficient. In my view, training and awareness alone have not been effective to reduce the human risk factor. A key focus must be to continuously influence long-term cyber behaviors within the workforce.
But where do you start? First, understand your key stakeholders as each group carries a unique definition and training approach. There are generally four key stakeholder groups in any organization:
Now define your behavioral baseline and target state. Be very clear about what you are trying to achieve or what behaviors you are championing. Make the targeted behaviors very clear to ensure leadership alignment, and make it known through effective communications across the organization. Translate the change vision into something real by defining what it means to every stakeholder group and what is expected from them.
Then, make it real and influential by designing a program with creative initiatives that drives positive change in each stakeholder groups’ behaviors through innovation and fun. Don’t be afraid to step outside the box of tradition. I would recommend taking traditional training and awareness approaches and lock them away in the archives. Turn mandatory training into a fun activity by using humor and gamification techniques to bring serious cyber security lessons to life. Ensure learning is interactive, challenging and relevant to your target audience. Measure and celebrate success stories – make it personal and real. Be bold in your approach.
Make it happen by moving your organization towards the target state and equip your workforce to work in new ways. Share different methods with employees to adhere to cyber security policies, e.g. how to create memorable but strong passwords – the use of sticky notes or electronic notepads are not acceptable password storage mediums but are still widely used by people to remember complex passwords.
Make it stick – sustain the behavioral change by measuring it for continuous improvement. Some methods may work better with certain stakeholder groups than others. Be confident and agile to change your approach – if it’s not working, adapt.
As with all security related initiatives, behavioral change is a journey not a destination. Yes, maintaining the human firewall will take continuous effort, but it will be a worthwhile investment. Failure to do so will be akin to granting cyber criminals an open invitation to cause further disruption to operations on top of financial and reputational damage.
 BT APAC Cloud & Services Survey, 2020 (September 9 – October 7)