To be effective in today’s fast-evolving world of continually emerging cyber threats, businesses should evolve their cyber security awareness efforts beyond the annual company-wide talk by the Chief Information Security Officer (CISO) on the need for more vigilance around data protection to the pursuit of a more integrated, holistic approach that embeds cyber security practices into the employee’s workday.
Here are some strategies to inculcate cyber security practices.
Leveraging science and adult learning methodology. Developed by Stanford University psychology professor Albert Bandura, a major tenet of Social Cognitive Theory (SCT) focuses on observational learning, also referred to as modeling. That is, the way people learn desirable (or undesirable) behaviors is by observing other people and mimicking those learned behaviors to maximize rewards. This learning method is particularly effective if people admire, trust or respect the person who is to be imitated. Simply put, people like to be like their heroes.
Reinforcing behavior by applying change management methodology. The Awareness, Desire, Knowledge, Ability, Reinforcement or ADKAR model enables a program that continually reinforces why cyber security is important, why employees must remain vigilant both at work and at home, and the critical role they play in consistently supporting the cyber security team. For example:
— To drive awareness, employee login screens can display a reminder message such as: ‘Report phishing.’
— To drive desire, a series of ‘What if?’ scenarios can outline potential ramifications and threats when not practicing secure behaviors.
— To drive knowledge, interactive phishing simulations can be run periodically, including in-the-moment educational information for those who fall victim.
— To drive ability, a button can be installed on email toolbars to report suspicious messages to the cyber security team.
— To reinforce that behavior, employees who report suspicious emails can receive a response thanking them for being vigilant and taking action. If the report does uncover malicious activity, the employee can receive additional acknowledgment of their help, reinforcing good behavior: “Thank you! Your efforts and vigilance have helped us prevent cybercrime through discovery of a malicious email.”
These strategies not only make employees feel like they are part of the team, it also encourage feelings of accountability and ownership. It is also critical to create an environment that is supportive rather than punitive, ensuring that if an employee accidently clicks a dangerous link, they aren’t afraid to report it immediately.
Modern delivery methods to make training engaging. Effective Behavior Management and Communications programs require periodic training to keep all staff, including leadership, informed about industry best practices and policy changes. People learn in different ways. There are three main cognitive learning styles: visual (seeing and reading), auditory (hearing and speaking) and kinesthetic (doing). Training should cater to each learning style — eliminating barriers to entry and delivering information in the format preferred by the learner. In today’s fast-paced digital world, brief, easily digestible segments appear to be the most successful.
Make it personal. Employees must feel personally invested if behavioral change is to be successful and sustainable. For example, explaining to staff how a particular online behavior can protect their children from online predators, in addition to protecting company data or themselves, can have a profound impact. Program elements should connect the dots to emphasize how workplace cyber security skills can be applied at home.
As phishing and similar attacks become more sophisticated, cyber security risks are soaring. By investing in the human element of cyber security, organizations can foster workforces that are not only savvier about cyber security but also a crucial extension of the cyber security team through their commitment to keeping the organization safe. A holistic approach to protecting an organization requires an investment in people — the human firewall — to ensure that employees both understand the tenets of cyber security and embrace their role in supporting security efforts by making secure behaviors an integral part of their daily life.
The excerpt was taken from the KPMG Thought Leadership publication Human firewalling.