It might be tempting to label people as "lazy", "stubborn" or even "stupid".
They reuse passwords across multiple sites. They’ve clicked on an obviously malicious link, again. They’ve fallen for that blatant phishing scam, again. They’ve still not updated their computers. The list goes on.
True, human error accounts for 90 percent of cyber security problems. In response, many organisations dish out standardised, tick-box security awareness programmes. Measuring the effectiveness of such initiatives remains challenging. And yet, what we do know, is that the problem still lingers.
Why and where is it going wrong? Three security experts share their views on why the current model is not working and how it can change.
Security awareness training is mainly compliance driven and all too often employed as a knee-jerk reaction in response to a breach, according to former CISO, Flavius Plesu, now CEO and Founder of OutThink.
“While an important component - security awareness - is a limited one, in terms of what it can actually deliver. This is a business risk and like any other risk, we need to be able to identify, measure and understand that risk,” Flavius states.
A security awareness programme can work as a tool to build momentum but it's not going to deliver lasting change, says Marilise de Villiers, Founder and CEO, MDVB Consulting. Targeted behavioural change interventions are required to establish a security culture, she advises.
Professor of Human-Centred Security at UCL and Rhur University Bochum, Angela Sasse, describes security awareness training as “cheap”, saying that companies dish out a standard awareness programme to employees, consisting of weak and general advice, which tends to repeat itself.
Accompanied by a good dose of fear, this approach rarely engages workers or stimulates behavioural change.
It also creates a “toxic” culture: employees tend to respond with “I’ve seen this before”, “this doesn’t make sense”, “I can’t do this” or “I don’t actually believe it’s a risk” - so they remain unmotivated to change their habits.
But is this surprising?
Marilise says it’s hardly surprising companies are getting it wrong given that the ISO 27001 standard advises organisations to provide security training for employees once a year. “It's tick box mentality, driven by regulation,” she adds.
NCSC’s Cyber Essentials offer general guidelines which are not applicable to every business. Angela says that although this is a positive step, if the guidelines don’t apply to your business, “it communicates the wrong message and people are going to give up quickly”.
Humans; the weakest link?
Flavius thinks the famous phrase, “security is everyone's responsibility” is unhelpful and has provided CISOs with the perfect opportunity to shift the blame to employees.
“People are not stupid and they are not the weakest link - they need us, the experts to understand their reality and build sustainable security, that works for them, not against them.” he states.
He recommends that security professionals should remember that employees - no matter what area of the business - are busy professionals, working hard to earn their (the security teams’, as well as their own) salaries.
“They're really busy people, we need to move away from the generic, one-size-fits-all security awareness humorous videos, by delivering effective training, individually allocated based on employee needs and risk. We're here to make their lives easier, to enable people to stay secure by engineering the right processes and giving them the right tools. More security, more productivity,” Flavius explains.
Angela echoes this sentiment, saying that there are many reasons why people don't follow the right security standards - and it’s not because of stupidity or lack of awareness. Often employees won’t be able to complete certain processes if they followed the “rules” - which would ultimately have a negative impact on their productivity.
She adds that an employee will prioritise productivity over security as that’s where pressure from the business is coming.
Flavius also feels it’s important to understand your human risk exposure within your organisation. His advice: “CISOs must take a closer look at what’s happening within their own organisation and analyse how many near misses they’ve had. Who is not behaving securely and why? How is the situation now compared to six months ago? Of course, this is really hard to achieve without having the right technology in place and this is where OutThink comes in.”
Good cyber hygiene: a three step process
Good cyber hygiene does not simply boil down to security awareness, it needs to be supported by education, targeted training, appropriate tools and processes.
What is often misunderstood, Angela states, is that there is no quick fix for behaviour change. Security awareness alone won’t change behaviour, but will render people amenable to change. Organisations need to recognise that it takes time to replace a learned behaviour with a new one.
Actions also have to be “doable,” suggests Marilise. In order to replace old habits with new behaviour, you have to make the tasks as easy as possible for people.
Organisations also have to accept that there is no “cheap” option. Instead of more funny videos and phishing simulations, Flavius says, the business must invest in their people and give them the tools needed to make their jobs easier. Above all, people need support from security and IT.
A note for the board
Speaking of which, Angela’s advice is that the business has to take responsibility and work out how it wants to implement sustainable security.
The business needs to collaborate with the security department to understand what the options are for managing human risk in order to make decisions together that work for the business.
More often than not, CISOs are blamed for not speaking the language of the board. Flavius believes that the tables should be turned.
Being in the “Age of Cyber”, he feels board members have a duty to be up to speed with the challenges and opportunities data and information bring. Therefore, the onus should not fall purely on the security teams’ shoulders; it should be shared with the business executives.