By Dr. Inka Karppinen, CPsychol. Lead Behavioural Scientist, CybSafe
While many commentators continue to tout technological solutions to various cyber security issues, with high-profile cyber-attacks and data breaches continuing to make headlines, it’s evident the status quo isn’t working. Aside from technology, the approach to cyber security in the coming year requires a more people-focused approach.
For too long, organizations have assumed that by explaining cyber risks, their employees would alter their behavior. Human behavior doesn’t need to be a guess or an assumption, it can be measured and studied. As a result, people can be directed towards good behaviors, and their progress quantified. Organizations can use this knowledge to improve their cyber hygiene while promoting and spreading a positive and effective cyber security message.
Here are five steps businesses can consider making cyber security policies work with their workforce.
1 – Talk to people!
People are naturally predisposed to interact in communities and make sense of our environments. However, as technological advancements continue to evolve, we often turn towards technology alone as the cause and solution to cyber security problems. But employing a more “human-centric” approach to problem-solving adds alternative opportunities to organizational challenges.
Initiating conversations with people on the ground allows a better understanding of where the gaps are in their knowledge. For example, employees could be skipping through the security awareness training because it isn’t engaging, or because they are ‘fully protected by anti-virus software’.
The best way to get information is to bring the conversation to them, whether that be near the coffee machine, through a message on slack, or via a well-timed, well-worded survey. If someone is known to have developed a workaround to security processes or doesn’t take the right action when faced with a security decision, the likelihood that others are doing the same thing is greater.
Gaps in knowledge leave room for errors which might otherwise be avoidable. By engaging their people, security professionals will be better equipped to provide the information needed to fill the gaps and improve understanding.
2 – 24/7 is the new 9 to 5
The work environment has changed significantly in recent years. Previous insistence on a presence in the office meant that internal 9-5 cyber security measures were largely able to protect both individuals and tools in the workplace, especially within the physical spaces of office buildings.
With hybrid working becoming the new norm, 9-5 protection is no longer enough. Working from home has allowed for new and greater opportunities for cyber risk. Cybercriminals function 24/7, and with personal devices being used from home, or work devices being taken out of a comparatively safe workspace, it is important to make sure cyber security measures are effectively implemented around-the-clock to protect people and businesses from bad actors. In the first instance, that means providing people with the tools to effectively manage their cyber risk, no matter their working environment.
3 – Training and tools
Users should not be blamed for their errors if they have not been provided with the necessary training and, most importantly, appropriate tools to perform secure cyber practices or recognise threats. Worse still, is if a tool is not reliably performing and hinders the main job task, especially in environments that focus on productivity and outputs.
People don’t want to be a liability or feel vulnerable in their workplace; naturally, they want to be part of the solution. Therefore, the onus is on organizations to ensure employees are aware of what is expected of them, and that they have the tools to be successful.
CISOs don’t need to be told the importance of proactivity in preventing cyber-attacks and breaches; it is about prioritizing organizational cyber hygiene and giving CISOs the resources to put people first.
4 – Positive messaging leads to positive responses
According to Tessian, a cloud email security platform, between March 2021 and March 2022, one in four employees who made cyber security mistakes lost their jobs. While every organization needs to make cyber security decisions that work for them, harsh penalties for honest mistakes will likely lead to fewer people reporting the errors they make to IT teams, even if their mistake compromises security. Driving these wedges between employees and executives’ risks making cyber security increasingly challenging to manage.
Paradigmatically shifting the outlook towards viewing cyber security incidents as powerful learning opportunities is vital for encouraging employees to report errors. In fact, if errors are made, they can be positive learning experiences. Gaps in knowledge can be identified and rectified, and security can be improved, preventing similar future mistakes. A positive message also encourages people to learn more about cyber security and become champions for their colleagues around them. Transforming a blame culture into a collaborative, positive one can be a powerful way to improve transparency and address essential vulnerabilities.
5 – Layoffs and cyber hygiene
It’s impossible to ignore that several high-profile mass layoffs punctuated the end of 2022 and the beginning of 2023. While no one wants to see such unfortunate events, we may see more in the coming months.
If the decision is made to let employees go, there’s a risk that organizational cyber security may become compromised.
These risks come in two different forms, the first of which is the technology itself. Organizations should have a crisis management plan in place to ensure that the security of their tech infrastructure can be preserved. Whether it is to allow for effective patching or the avoidance of siloes, planning ahead is always important.
Second is how layoffs can impact an individual’s psychology and behavior. Employees have access to a vast amount of organizational information, data and sensitive credentials, in addition to physical hardware belonging to their employer. In order to maximize protection, cyber security must be considered in the event people are let go. These processes must be in place before any announcements that may cause worry for one’s livelihood are communicated.
Approaching redundancies through understanding and honest messaging encourages a much more positive, compliant response from understandably upset workers. Conversely, a more clinical or insensitive approach may provoke anger and discourage the same people from tying up cyber-security-related loose ends. One need only look at the recent redundancies at Twitter to understand how confrontational messaging can lead to anger and non-compliance, not to mention bad PR!
Eliciting negative emotional responses can cause people to panic and act irrationally from a cyber security perspective. For example, individuals may start sending information to private emails, which might not be secure. Ultimately, an organization’s employees are the first and last lines of defense for organizational security, meaning saying goodbye to several employees will inevitably leave weaknesses. So treating redundancies delicately, respectfully and offering support can be the first step in minimizing cyber hygiene issues in the future.
Making the change
As the frequency of cyber-attacks increases across all industries, CISOs have been thrust into the unfortunate position of trying to increase protection against a backdrop of reducing funds and resources. Solutions do not always have to come at a great organizational expense.
Encouraging open communication and identifying productivity-security touchpoints between employees and the C-suite can be fundamental in directing an organization’s security culture in a positive direction.
Placing greater emphasis on the human aspect of cyber security can increase awareness and understanding surrounding cyber security best practices and protect organizations against damaging cyber-attacks. Keeping organizations safe is a complex problem. Keep these five tips in mind as you build iteratively towards a secure organization, from the bottom up.
About the Author
Dr Inka Karppinen is CybSafe’s lead Behavioural Scientist, Cyberpsychologist and mixed methods Human-Computer Interaction (HCI) researcher.
Inka is interested in all aspects of helping people, which has led her on a unique path encompassing both industry and academia. She has a PhD and MRes in Security and Crime Science from the University College London (UCL) and MSc in Occupational Psychology from Birkbeck.
Her PhD was a multidisciplinary research investigation in a real-world organisational setting examining employee non-compliance with security procedures using human error/violation and behavioural economics frameworks. She specialised in various behaviour change models, training evaluation frameworks, persuasive technology and improving the organisation’s security culture.
At CybSafe, Inka applies mixed methods research techniques to uncover people’s cyber security attitudes and behaviours with an aim to design workable digital solutions. She loves narrowing the research gap between academia and practice creating a meaningful positive impact on people’s cyber security behaviours. She is the lead researcher for CybSafe’s yearly Oh Behave! Reports and lead researcher for the Home Office-funded project entitled: Cyber Security Quirks: Personalised Interventions for Human Cyber Resilience.
She is a Chartered Psychologist with the British Psychological Society (BPS), an Expert Fellow of the Security, Privacy, Identity, Trust Engagement NetworkPlus (Sprite+) and a Member of the Global Association of Applied Behavioural Scientists (GAABS). She is a strong advocate for bringing together people involved in research, practice and policy.
Dr Inka Karppinen can be reached on LinkedIn at Inka Karppinen, PhD CPsychol and at our company website https://www.cybsafe.com/.
;
We are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.