Cyber Security Awareness Month
05 October, 2023, by Natasha Free
National Cyber Security Awareness Month (NCSAM) is observed in October in the United States of America. Started by the National Cyber Security Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance, the month raises awareness about the importance of cybersecurity.
The need for focusing on awareness is starkly emphasised by a Gartner survey of 2022 I read recently entitled “Drivers of Secure Behaviour”. The survey found that 68% of thousands of employees polled admitted to intentionally bypassing cyber security guidance in the last 12 months. Pause there for a minute and take that in – most of your teams are purposefully not following your cybersecurity rules. The survey goes on to reveal that of those admitting to this less-than-optimal behaviour, 93% understood the bypassing of those rules increased risks to the organisation. When we look at this alongside the statistic that 82% of breaches are “a result of employee behaviours that were unsecured or inadvertent” then it’s clear we have a very real problem that needs addressing.
If we invert this, it's these kinds of findings that make me question why organisations spend most of their time, effort and budget on threats that are less likely to end in a security breach. Whilst I’m not saying that we shouldn’t be staying ahead of the anonymous (and not so anonymous) threat actors out there, it’s clear that we MUST pay more attention to our own people. Cyber security strategy clearly needs to start at home and must be people focused. In fact, policy design should by default be people-centred. With that in mind, what might motivate people to do better?
Awareness helps, however, I'm sceptical of some of the new tools available that reward or penalise people for their behaviour. The carrot and stick approach appears to me to be (at best) out-dated and (at worst) patronising.
Undoubtedly, user experience plays a significant role in our behaviour and is probably the number one area where improvements could be made. If it's difficult for users to log on or to carry out their work, there is a greater temptation for them to circumvent whatever rules you have in place or play fast and loose with the functionality of your tools. We talk a lot about frictionless access but this is not a universal reality yet, and is particularly problematic for privileged systems. However, we need to look at ways to make it easier for users to access and to easily request access to everything they need.
Secondly, it probably pays to make cybersecurity controls role relevant. The controls needed for a receptionist will be very different to those required for IT specialists who need access to servers or other privileged systems. The same can be said of awareness raising and any kind of security quizzing, it needs to be relevant to the everyday scenarios likely to be experienced by the role holder.
In addition, many studies have shown that people will only take control seriously if they are held accountable for any breach or circumvention so it's important that any risky behaviour is picked up and the user involved is given additional training or is penalised in some way. My personal preference would to make the perpetrator read all the organisational policies and pass a test afterwards. (Nothing says punishment more than having to read policy documents!)
From my own experience it also helps to demonstrate to people (particularly those in a non-technical role), what suspicious looks like. For example, it can be helpful to show what they would expect to see in a phishing e-mail. What are the red flags to look out for and what to think about when sharing or receiving files or attachments from users outside the organisation.
I was fortunate enough to attend an identity and access management conference recently where one of the speakers gave an excellent presentation on the importance and value of telling a good story. When I think about cyber security awareness, I can see the value of excellent storytelling to engage people and to sustain their interest. For an example of getting your message across in a memorable way see Apple's latest sustainability ‘report’ (2023). They didn't write a report, they used a short film starring the lovely Octavia Spencer to powerfully and memorably communicate their message.
There are some great examples of storytelling across all industries and plenty of creative organisations that can help you create engaging and relevant stories that will go a long way to ensuring better compliance for any organisation.