Information Security is at a crossroads; we have more and more tools available to mitigate attacks but the number of security incidents such as data breaches is on the rise - why is this?

Everyone thinks they know what they should be doing when it comes to information security, so why are they not doing it? When we discuss end user responsibilities, we assume that security awareness training alone is enough and if users are non-compliant after that, it is because they are not taking security seriously. This may be the case in some instances but there are many other aspects organisations should be aware of when building an Information Security culture and awareness programme.

The human factor of cyber security is essential, especially when creating and implementing policies and processes around mitigating incidents and should not be underestimated. To quote the National Cyber Security Centre (NCSC):

“The way to make security that works is to make security that works for the people.”

This is so relevant to all aspects of life but in information security, our end users are human beings, not machines. This in turn leads to uncertainty and variables that traditional awareness programs and policies are not taking into account. As more incidents are reported, boards are taking more and more notice of Information Security within organisations as increasing accountability for the loss of data lays firmly at the boardroom door.

If you want a successful embedded security culture in an organisation we must move beyond just technical awareness and language and understand the audience of end users we are sharing this knowledge with. What are their beliefs, fears, and frustrations to name a few? If people are the problem and the solution why are we using technology alone to attempt to fix it? Engagement is key and contributions from individuals will allow them to feel part of the solution and build a culture of inclusivity.

Security is often seen as boring and complex, so how do we make it engaging for our end users? In order to build it into business-as-usual routines it needs to be planned and delivered in a little-and-often format and in a language users can understand. This allows the flexibility to tailor the training in line with emerging threats. We need to bring it to life through real-life everyday activities and we do this through story telling. Individuals will connect with a story if it is relatable, and awareness programmes delivered in this format should include characters such as end users and threat actors in real life role specific situations. Engagement is achieved as people will relate to the emotion the story gives them.

Another essential point to understand when trying to change behaviour is Cognitive Bias. This is a systematic error in thinking that occurs when people are processing and interpreting information in the world around them. This is how we make our decisions in life - it is your brain’s attempt to simplify information processing based on our own experiences and preferences. However, these may not always be reasonable or accurate, thereby leading to irrational or badly judged thoughts. Cognitive Bias is a topic all on its own and lends itself to a separate blog so I will not go into detail here. However, it is essential to be aware of it if we wish to change behaviour towards security, along with emotions, individual motivations, limits on the mind’s ability to process information and social pressure. We need to understand why people are non-compliant and fall victim to threat actors, as it is not always as clear cut as we may think.

Threat actors use these end user vulnerabilities to extract information or gain access to systems, so why are we not changing how we deliver our security awareness to counteract this? Organisations can no longer just put a technical patch over security and awareness training. We must start addressing the non-technical skills; the human factor that contributes to addressing behavioural change. We must equip our end users with the right level of security awareness delivered in a manner that brings it to life; so much so that it becomes business as usual and they become our first line of defence.

With all this to consider, it is hardly surprising that once a year security awareness programs are somewhat ineffective. It is time to reassess our security culture so that organisations engage end users as part of the solution and they feel part of it. In the words of Henry Ford:

‘If you always do what you you’ve always done, you’ll always get what you’ve always got’.

There are positive signs that boards are moving away from information security being an IT issue and looking at it from a more holistic viewpoint. It is key that the teams designing our security policies and awareness programs are equipped with professionals that can take a blended approach of both technical and the non-standard soft skills in order to engage end users to build a security culture and deliver a message that will be understood and applied as business as usual.

How can Nexor help?

Nexor’s Cyber Resilience consulting team can support your business in identifying training needs and how these can be adopted to provide increased awareness to support your business’ security policy and objectives.