Historically, cybersecurity has been perceived as a technology problem and so, businesses have always passed the cybersecurity responsibility to technology teams. These teams naturally turn to technology tools to solve security problems.
But here’s the thing: cybersecurity is not a technology problem; it’s a business problem. What’s more, most cyberattacks have nothing to do with technology per se. What began as spam has evolved into phishing attacks, and these have grown in sophistication. These scams use social engineering techniques to play on human emotions and trick people into doing things they shouldn’t, like clicking a malicious link or revealing personal information.
The Growing Importance of People-Focused Defense
Hackers are ROI-focused. They want to smash and grab whatever they can and move on to the next victim. And so, why spend days, weeks and months analyzing victim environments, searching for vulnerabilities, looking for blind spots in cybersecurity defenses, when adversaries can simply walk through the front door? This is exactly what’s currently happening in cyber.
As much as 74% of attacks can be traced to social engineering, stolen credentials and privilege misuse because it’s much easier to hack a person and infiltrate an organization rather than breach cybersecurity defenses. This hasn’t been the case historically because early computer systems were less immune from internet-based attacks and poorly equipped with native cybersecurity defenses.
Six Tips for Building a People-Focused Security Strategy
In general, we are creatures of habit and can end up being predictable in our thought processes and behavioral patterns; such habits cannot change overnight to prop up security defenses. It needs time and a consistent long-term strategy. Here are six tips that can help boost the people side of security:
1. Focus on behavior: Organizations deliver annual training and believe it’s adequate for making employees responsible and cybersecurity aware. Awareness and behavior are not equal: roads have speed limits, but we often break those rules. Focus on training exercises that alter behavior instead. For instance, running bi-weekly phishing simulation exercises can help employees build responsive muscle memory in identifying, blocking, and reporting phishing messages.
2. Position security alongside business strategy: Cybersecurity is often considered a low priority because employees have more important things to do. If leaders change the narrative around cybersecurity, show how it can avoid serious business disruption, boost customer trust and confidence, and increase the bottom line, then chances are that employees will see cybersecurity in a more consequential light.
3. Practice empathy: We each have different levels of skills and security maturity and different attitudes towards cybersecurity. Organizations must acknowledge these differences and practice empathy and patience while coaching employees. Avoid being arrogant, punitive, and fear-focused as this is known to create a toxic environment. On the contrary, create a supportive culture where workers are not afraid to report a breach or social engineering scam or ask questions.
4. Use storytelling to sell your purpose: It’s important the employees understand that cybersecurity is a positive — something that helps the business thrive. Use analogies and anecdotes to make your training content more digestible and relatable. Leverage current events and news stories (such as ransomware victims) to educate and advocate security but refrain from using scare tactics.
5. Make it fun and interesting: Cybersecurity doesn’t have to be a serious thing. It can be an interesting way to build fun, rapport, and engagement among employees. Use gamification tools and methods, run contests, offer freebies, and recognize people for their efforts and support. Such types of activities can not only motivate people more but can also alter their attitude and mindset toward cybersecurity.
6. Use advocates and influencers: Culture is contagious. Find leaders from within, people who are influential and enjoy a certain level of trust in the company. Leverage their clout to unify the team and influence their security mindset. A positive security culture can accelerate people-focused security outcomes dramatically.
Final Thoughts
While technology-based security controls are important and should be deployed, solely relying on them may not always be sufficient to prevent security breaches. Therefore, people-focused security measures have become crucial. By providing thorough training to employees, organizations can instill a strong commitment to security in their workforce.
Cultivating security intuition among employees acts as an additional layer of defense, compensating for potential shortcomings in technology-based controls. With well-trained employees who prioritize security, organizations can strengthen their overall security posture.
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.