Building a Human Firewall to Strengthen the Security Culture of an Organization
By Arijit Banerjee
While organizations may be at different levels in terms of the maturity of their security posture, one common aspect is critical to all of them - their security culture. Building a robust security culture requires care and nurturing. 52% of businesses admit that employees are the weakest link in their IT security, with ‘accidental publication of confidential information by employees and insider attacks’ having the greatest impact on business IT security strategy. According to a joint report by Accenture and Ponemon Institute, in 2018, the cost of cybercrime exceeded USD13 million per company, a 12% increase from 2017 and a 72% increase over the last five years. Clearly, in addition to beefing up technology, organizations need to focus on the human aspect of cybersecurity.
Here are three ways in which organizations can use their human resources to fortify their security posture:
1 Immerse employees in security related situations: While training employees in cybersecurity best practices and compliance methods is imperative, organizations often overlook training them to think and act with security in mind, always. When it comes to imparting this kind of training, conventional training methods such as workshops and seminars simply don’t cut it. They barely scratch the surface and employees forget most of what they learn once a year in just a few days. On the other hand, innovative forms of experiential and just-in-time learning such as microlearning modules and cyberattack/phishing simulations can help immerse employees in security related situations and deliver the much-needed hands-on practice. Elevate Security, a San Francisco based company, invested in an $8 million Security Behavior platform that motivates, measures and rewards employees to change their security habits.
2 Leverage gamification techniques to develop a security-centric mindset: To improve employees’ security habits and develop the desired ‘security behaviors’, organizations need to figure out what works best for them. For some, a carrot-and-stick approach may work for security training, while for others ‘humor’ may do the trick. Cyberamaniacs, for instance, uses micro videos featuring storytelling techniques and puppet characters to deliver cybersecurity awareness training that really connects with its audience. Gamification techniques such as cyber knowledge assessment quizzes, escape rooms, games of Monopoly, etc. help eliminate the ‘penalty’ factor from cybersecurity training, and incentivize and reward people who demonstrate positive behavioral changes.
3 Build a security education ecosystem: It requires a top-down leadership commitment to create an enterprise-wide security culture, that is not a once-a-year event, but a continuously evolving framework. HR leaders must work collaboratively with CSOs and IT security teams to map what the risk landscape is for their company and what specific steps must be taken to mitigate it. When hardening the human firewall, organizations must not overlook the external ecosystem that includes customers, B2B clients, and third parties (vendors, supply chain partners, etc.) in ensuring a robust security posture. Becoming a part of local and global consortiums such as the Global Ecosystem of Ecosystems Partnership in Innovation and Cybersecurity (Global EPIC) is a step in this direction. Global EPIC, for instance, brings together 14 global ecosystems from around the world to facilitate knowledge sharing and co-creation of impactful cybersecurity solutions.
Metrics matter: Monitor, track and measure
While most organizations have security training programs in place, understanding employees’ security behavior, targeting it right, and then measuring the changes is key to building a solid human firewall. It’s important to ask questions such as: did training result in more employees being able to identify phishing emails, increase use of malware protection, or protect sensitive data with password managers?
The Security Culture 2018 report reveals how measuring the right metrics and optimizing security training programs accordingly helps change security behaviors over time. The report shows that the BFSI sector demonstrated an improvement in security behaviors of up to 16.7% in one year – from 2017 to 2018, and a further 17-point increase in individuals’ sense of responsibility towards security, while the real estate sector showed negative change in security culture. Why this discrepancy? The finance sector took specific measures to tailor their security training programs to address the weaknesses identified the year before, while the real estate sector did not alter their programs. As the modern workplace extends beyond physical office boundaries, the future will see security-minded employees emerge as a critical enabler to business safety, supplementing and enhancing cybersecurity technology deployments.