There are a few things we just wonât stand for in 2020 â but first on the list is the phrase, âemployees are the weakest link in cyber security.â Itâs a saying that people really should have ditched in 2019.
You can probably guess that since Iâm writing this, unfortunately, most people havenât. Online and even among cyber security professionals, itâs still a common thought process.
âWhatâs wrong with believing employees are the weak point?â, you might ask. Given the ever-increasing frequency data breaches â with human error often being either a cause or catalyst in the majority of cases â youâd be forgiven for thinking that employees are naturally at fault.
But theyâre not â and there are a few logical reasons why.
The weakest link?
Firstly, framing the conversation like this doesnât get us anywhere. Are football players to blame when they lose a match? Well, in a way, but the players are also to âblameâ when they win. And even when they do lose, telling them that theyâre the problem is only going to demoralize and lead to further losses.
[Read: Digital transformation projects donât fail because of a shortage of âtechâ]
Secondly, if blame has to lie somewhere, it surely lies with the security awareness programs rather than the employees who rely on those programs to better protect themselves. The reason that human-error breaches continue to occur at such at rate is that â and letâs be honest here â security awareness training in its current form just doesnât work.
Training doesnât work because, in most cases, it focuses solely on awareness. Awareness is all well and good, but increased awareness by itself is not what necessarily matters. Just because people are âawareâ of cyber risks doesnât mean that, in the real world, they will behave in a more secure way.
To reduce human cyber risk, security âawarenessâ training â a rather misleading moniker when you think about it â must go beyond raising awareness. It needs to focus on also changing behavior and building a culture of security simultaneously. Collectively, you can think of this as âABC.â
Doing so creates a virtuous circle in which improvements in one area flow into the next. Raising awareness lays the foundation for changes in behavior. Secure behaviors nurture a culture of security. And, completing the circle, a culture of security advances awareness.
Understanding the disconnect between people and security
How do businesses improve behavior and, in turn, begin to develop a positive culture? While thereâs no short answer, the first step for any business new to the principle of ABC is to try to understand the origins of undesirable behavior. One of the most useful questions to tackle early on is, âWhy are my people not complying with security policies?â
When businesses begin to probe why, they tend to find that motivation, or rather lack of it, is at the root. Staff are failing to take security on-board as part of their everyday job: They donât see it as a serious issue; they donât see it as their responsibility; they donât see it as something they have much control over; or a combination of the above.
More often than not, businesses also discover that the relationship between security and staff has become strained. In extreme cases, itâs become adversarial. Security is seen as an inconvenience, an annoyance, as something that exists just to âget in the way.â
Businesses will likely need to address both before significant improvements are seen. Making cyber security more personalized and relatable to staff, gamification, bringing leaders on-board, and getting employees involved in cyber security conversations, will all go some way to boosting motivation. Meanwhile, making security policies and procedures simple â ensuring that doing the right thing is the easiest thing â will help to address issues of tension between security and staff.
Developing cyber security behavior and culture
So, if I could ask businesses to adopt two new approaches to cyber security this year, the first would be to leave behind the âweakest linkâ language. The second, to hopefully avoid a data breach in next yearâs stocking, would be to pay more attention to behavior and culture.
By treating people as a useful and powerful security asset, and by addressing security awareness, behavior and culture in tandem, businesses can bring about real and tangible reductions in their human cyber risk.Â
Get the TNW newsletter
Get the most important tech news in your inbox each week.