Cybersecurity is now battling a human problem just as much, if not more, than a technical one. According to Verizon’s “2021 Data Breach Security Report,” 85% of successful cyberattacks now involve a human element. Combine that with the fact that even the very best technology can only thwart about 93% of attacks, and that leaves a large hole in an organization’s basic security hygiene. A gap where employees are depended upon to make split decisions and failure to choose correctly puts disaster just a click away.
With cybercrime now estimated to cost more than $6 trillion annually, the adoption of cybersecurity training is no longer optional. In fact, a growing number of new regulations now require many businesses to add ongoing education to their security programs, causing a boom in so-called “awareness training” programs.
However, security officers say these generic, “one size fits all” training systems often fall short, particularly as it relates to delivering a change in online employee behavior. Without this proof point, what is the true ROI of security training?
“Current training programs are very one-dimensional because they don’t take the human element into account,” said Marc Leckman, director of IT for Wesdome, a Canadian gold mining company with about 500 users, often in remote locations. “You can’t truly solve the problem unless you account for the fact that people react differently to the same type of threat.”
Challenges in security training
“The weakest link is always people — what I call the ‘human firewall,’” said Kin Lee-Yow, CIO of Canadian Automobile Association Club Group (CAA), a nonprofit association with thousands of employees across the country. “We’ve been focusing on how we increase the level of awareness and education for a while now.”
This “last mile” frustrates even the most vigilant of organizations. In fact, while this 7% - 15% typical firewall gap may seem small, it leaves a 100% statistical probability that every employee will eventually come across some form of novel threat — be it in an email, chat, or weblink. They will not only need to identify it as such but be properly trained on how to best act upon it.
This presents a need for security professionals to further buttress their efforts at embedding a sustainable “security aware” culture among employees. This has led to a growing demand for ongoing educational programs that rely on behavioral science to measure and manage cybersecurity risk as a distinctly different solution from generic, one-size-fits-all training programs. Instead of just putting a check in the training box, these programs focus on training the right person at the right time about their specific risk profile to generate and sustain a change in behavior.
It wasn’t until Lee-Yow discovered this new breed of cyber training that he realized the issue was solvable. By utilizing machine learning to develop a customized approach for each employee, CAA could then correct key motivating factors that drive underlying online employee behavior. This greatly reduced the chances of an employee becoming the victim of a cyberattack that could devastate a company’s reputation, not to mention its bottom line.
Changing behavior, increasing mindfulness
“We are now attacking it from a completely different angle,” said Leckman. “Beginning with the personalized risk assessment, we can ascertain the risk makeup of our employees and strategically plan our next investments based on those results.”
“I liked the fact that every employee is given a 40-question assessment, kind of like a Myers-Briggs personality test,” said Lee-Yow. “This gave us a tool that assessed every individual from their own risk standpoint, and, from there, we could show them how to better protect themselves. And going one step further, how to create good online habits.”
Lee-Yow concedes that good habits are not formed overnight, which is another reason he has found the ongoing education — which includes delivering new materials regularly — and simulation drills to be an effective departure from generic training programs he has used in the past.
“We can actually measure improvement,” he said. “For example, we conduct regular phishing tests and if someone fails, we can follow that up with a program that reinforces and rejuvenates that employee on best practices.”
CAA has been using the education assessment and training program for over a year now, and Lee-Yow has been pleased by the results.
Wesdome, on the other hand, is still in the early stages of its personalized cyber training journey. Leckman was looking for a consulting partner who could first help him determine his existing corporate risk profile. After this assessment was complete, he was able to demonstrate to his executive peers and the company’s board of directors that improving their cybersecurity practices was critical.
“From a director standpoint, breaking down the results of that assessment showed me where we were at a higher risk, where we had lower risk, and where our budget was best spent,” Leckman said.
This ability to measure risk-adjusted ROI on improvements in maturity is compelling for those who control budgets and spending, ensuring cybersecurity improvements are targeted appropriately for additional funding.
For Wesdome, the key was finding something that was going to deliver a return on investment. Not in the form of an immediate payback, but, instead, from the long-term opportunity costs associated with reducing the threats to which they are exposed.
Lee-Yow also realized that raising awareness through targeted education is crucial for reducing risk and, therefore, saving an organization from the monumental costs associated with a cyberattack.
“When the massive amount of costs, compliance, and other aspects of an attack are taken into account, it is obvious that personalized intervention is what the industry needs,” Lee-Yow said.
Time is of the essence on addressing these matters given the constant escalation of new threats and new techniques being deployed to hack and attack organizations globally.
In fact, according to IBM’s 2021 “Cost of a Data Breach Report,” a successful cyberattack now costs an average of $4 million per incident. Mimecast, meanwhile, reports ransomware demands on U.S. businesses now eclipse $6 million on average. For small businesses (under 250 employees), this type of attack results in bankruptcy 60% of the time.
Surprisingly enough, even though it is technology that creates the cybersecurity problem in the first place, the vast majority of organizations are still relying solely on technology to mitigate cyberattacks. Yet, technology alone is unlikely to solve what is essentially a human problem and where the biggest shortfall is often found in an organization’s human defenses.
Given the huge global shift in working and learning remotely, combatting situational distractedness should now be a critical component of any security awareness training. Knowing what to do to avoid risk and successfully applying that tactic when an actual threat appears is the key to keeping an organization and its employees safer online.
“We are all human; we all make mistakes,” Lee-Yow said. “However, we believe that mistakes can be greatly minimized with the proper employee education and effective follow-up.”