Developing a cyber-resilient culture
At the heart of most corporate cyber crises lies the risk of poorly educated employees and poor awareness of the security basics. After a host of scandals during the present century, companies recognize that policies and procedures count very little if they ignore the human element. Efforts to tackle the matter are being made, yet major breaches keep happening. Credit-checking group Equifax blamed "human error and technology failure" for one of the most significant data breaches in history, affecting more than 145 million people in the US alone. The credit reporting giant cited poor communication of cyber risk and poor execution at the people level as the primary root cause for the infamous breach.
The three main causes of “human error” are: 1) lack of skills or know-how (skill-based error), 2) lack of motivation to do what is secure (decision-based error), and 3) errors forced unknowingly by malicious actors (malicious forced errors).
Cyber resilient enterprises think differently
Cyber-resilient enterprises put people’s hearts and minds, not technology, at the center of their cybersecurity strategies. They create deeply entrenched beliefs that protecting the enterprise from cyberthreats is everyone’s responsibility, from the board of directors to frontline personnel. Cyber-resilient enterprises transform employee attitudes and behaviors through compelling and contextualized messages; reinforce good deeds; and provide steadfast, clear, and frequent messages from the top. These enterprises know that cyber resilience transcends technology–the real work of defending the enterprise takes place within business teams and is underpinned by shared norms and values.
- Develop a tactical and strategic culture change program — Security awareness and culture change need to be managed as a "behavior change initiative,” and behavior change needs to be viewed from a tactical and strategic lens. Develop a culture program that uses tactical and strategic initiatives in changing behavior, with responsive governance and ongoing reviews.
- Set the tone at the top — Effective leadership includes role modeling, active participation by C-level executives in defining the corporate culture and standards of behavior. Any significant transformation program demands unwavering support from the Chief Executive Officer, the C-suite, and the board. Creating a cyber-savvy workforce is no different; sustained cultural shifts require the most senior officers to role model expected behaviors, uphold the virtues of the cyber risk appetite, and, most importantly, proactively reward positive behaviors and hold wrongdoers accountable.
- Educate against email threats — Email threats continue to increase at alarming rates and are becoming more and more challenging to detect. First, train users to recognize, avoid, and report suspicious emails—it is also essential for every employee to realize that their roles grant them access to valuable information.
- Identify high-risk communities — A consistent message from the Cyber Leadership Institute is that security must be managed like other business risks. That means making deliberate choices and ruthlessly prioritizing limited security budget on the most significant risks. To that end, we recommend that the Chief Information Security Officer segment employees according to their risk profiles to deliver contextualized messages that emphasize specific threats employees face in their respective roles. Having a one-size-fits-all approach dilutes the effectiveness of limited resources and exerts untenable pressure on thinly resourced cybersecurity teams.
- Establish a cyber ambassador program — Extend the cyber team's reach by building a network of cyber resilience culture ambassadors throughout your organization to engage the broader employee base while promoting cybersecurity best practices. That way, cyber resilience becomes everyone's responsibility, from the frontline staff to the board.
- Gamify to engage employees — Leverage concepts from the gaming world and apply them to cybersecurity awareness programs. That means use game incentives to engage and reward positive action; thus, transforming previously mundane activities into sticky and highly engaging events.
An organization that can defend, withstand, and survive potentially devastating cyber-attacks often has invested in its people’s awareness and education. It is an ongoing effort toward changing the way staff think and work in their roles. It should be adequately funded, have the attention of senior management, and empowered by stakeholders across the organization.