Why training is essential to building a strong cybersecurity culture

Despite the meteoric rise in cybersecurity spending over the past few years, cyberattacks and data breaches are only getting stealthier and costlier. Last year had the highest average cost in 17 years, according to IBM.

It’s a common misconception that throwing more money at technology alone will reduce the likelihood of cyberattacks. Debunking this myth, a study by Boston Consulting Group showed that only 23% of breaches are a result of inadequate cybersecurity technology, whereas 77% are the result of human error.

In terms of cybersecurity, human error isn’t limited to a particular type of action. The IEEE Computer Society admits human error encompasses several types of actions that can have a detrimental consequence on an organization’s cyber-risk, including:

• Losing credentials or using credentials that can be easily hacked or guessed

• Unintentionally downloading malicious attachments or visiting malicious websites

• Using public or unsecured Wi-Fi and devices to access corporate resources

• Falling victim to a social engineering scam

• Leaving sensitive corporate data unprotected or unattended

• Making judgment errors from heuristics and cognitive biases

Findings from Osterman Research show that security teams are concerned about a range of cyberthreats, including data breaches, compromised credentials, malicious email attachments, account takeovers, ransomware, spear phishing, malicious URLs, Business Email Compromise (BEC), file sharing, and social engineering through non-email channels. Most of these threats depend on human error to be successful. In addition, pandemic-related trends raise additional concerns.

With the rapid rise of working from home, organizations are deeply concerned about attackers targeting the new remote workforce. And despite growth in chat rooms and other productivity tools, email use continues to grow, especially during the pandemic. This increases the risk of phishing, BEC attacks, ransomware, and a range of other email threats linked to human error.

WHY SECURITY CULTURE IS CRITICAL

Shaping human behavior and reducing the probability of human error is both a long-term and complex process that cannot be solved by episodic initiatives. Only a strong security culture holds the power to shape the behaviors, norms, attitudes, and mindsets of employees toward cybersecurity. Like other corporate values an organization upholds, cybersecurity must be woven into the fabric of the business. Organizations need employees who are trained to integrate security into their way of thinking, putting the organization first before performing any action online.

The Osterman report highlights a number of data points that reveal that training is the cornerstone of a strong cybersecurity culture. The study showed that training users regularly significantly boosted their ability to detect cyberthreats. Employees who received more training also see themselves as playing a more responsible role that is integral to the organization’s security culture.

STEPS TO ESTABLISH A SECURITY CULTURE

There isn’t a silver bullet to building a robust security culture; however, these five practical steps can help any organization build a cultural foundation:

1. Secure buy-in from leadership. Because managers and leaders have the highest influence in any organization, cultural change is infectious and should start at the top. To successfully transform the culture from apathy to proactivity, managers and leaders need to realize the value of security awareness training.

2. Train users with a goal toward permanent change. Security awareness training isn’t just a checkbox activity. Organizations must have their eye on the target, establish metrics around it, monitor success and failure, and make course corrections as needed.

3. Ensure training is tailored. There isn’t a one-size-fits-all to security training. Employees and departments may have different levels of security maturity and competence; therefore, it’s a good idea to address their unique obligations and requirements.

4. Make training interesting. The more engaging and thought-provoking training is, the more successful organizations will be at accomplishing their goals. Training that is dull or boring will secure little participation or enthusiasm.

5. Focus on rewarding versus punishing. Security awareness training must emphasize and reward positive security behavior and not punish failures. Organizations that approach behavior change with a positive mindset are generally more effective in gaining employee trust, eventually leading to a long-term behavior change.

Security awareness training helps build muscle memory and good habits and this, in turn, reduces the overall risk profile of the organization. Gone are the days when employees were considered the weakest link in your cybersecurity arsenal. Today, they are your strongest line of defense.

Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.