There are a few things we just won’t stand for in 2020 – but first on the list is the phrase, “employees are the weakest link in cyber security.” It’s a saying that people really should have ditched in 2019.
You can probably guess that since I’m writing this, unfortunately, most people haven’t. Online and even among cyber security professionals, it’s still a common thought process.
“What’s wrong with believing employees are the weak point?”, you might ask. Given the ever-increasing frequency data breaches – with human error often being either a cause or catalyst in the majority of cases – you’d be forgiven for thinking that employees are naturally at fault.
But they’re not – and there are a few logical reasons why.
The weakest link?
Firstly, framing the conversation like this doesn’t get us anywhere. Are football players to blame when they lose a match? Well, in a way, but the players are also to ‘blame’ when they win. And even when they do lose, telling them that they’re the problem is only going to demoralize and lead to further losses.
Secondly, if blame has to lie somewhere, it surely lies with the security awareness programs rather than the employees who rely on those programs to better protect themselves. The reason that human-error breaches continue to occur at such at rate is that – and let’s be honest here – security awareness training in its current form just doesn’t work.
Training doesn’t work because, in most cases, it focuses solely on awareness. Awareness is all well and good, but increased awareness by itself is not what necessarily matters. Just because people are ‘aware’ of cyber risks doesn’t mean that, in the real world, they will behave in a more secure way.
To reduce human cyber risk, security ‘awareness’ training – a rather misleading moniker when you think about it – must go beyond raising awareness. It needs to focus on also changing behavior and building a culture of security simultaneously. Collectively, you can think of this as ‘ABC.’
Doing so creates a virtuous circle in which improvements in one area flow into the next. Raising awareness lays the foundation for changes in behavior. Secure behaviors nurture a culture of security. And, completing the circle, a culture of security advances awareness.
Understanding the disconnect between people and security
How do businesses improve behavior and, in turn, begin to develop a positive culture? While there’s no short answer, the first step for any business new to the principle of ABC is to try to understand the origins of undesirable behavior. One of the most useful questions to tackle early on is, “Why are my people not complying with security policies?”
When businesses begin to probe why, they tend to find that motivation, or rather lack of it, is at the root. Staff are failing to take security on-board as part of their everyday job: They don’t see it as a serious issue; they don’t see it as their responsibility; they don’t see it as something they have much control over; or a combination of the above.
More often than not, businesses also discover that the relationship between security and staff has become strained. In extreme cases, it’s become adversarial. Security is seen as an inconvenience, an annoyance, as something that exists just to ‘get in the way.’
Businesses will likely need to address both before significant improvements are seen. Making cyber security more personalized and relatable to staff, gamification, bringing leaders on-board, and getting employees involved in cyber security conversations, will all go some way to boosting motivation. Meanwhile, making security policies and procedures simple – ensuring that doing the right thing is the easiest thing – will help to address issues of tension between security and staff.
Developing cyber security behavior and culture
So, if I could ask businesses to adopt two new approaches to cyber security this year, the first would be to leave behind the ‘weakest link’ language. The second, to hopefully avoid a data breach in next year’s stocking, would be to pay more attention to behavior and culture.
By treating people as a useful and powerful security asset, and by addressing security awareness, behavior and culture in tandem, businesses can bring about real and tangible reductions in their human cyber risk.