October 5, 2021
The cybersecurity world is evolving rapidly — perhaps more quickly than at any other time in its history. It would be easy to attribute the cyber hiccups that many businesses face to the fact that they are simply unable to keep up with bad actors.
The facts are more complicated. While it’s true that new threats are emerging every day, more often than not, breaches result from long-standing organizational issues, not a sudden upturn in the ingenuity of cybercriminals.
For example, phishing has been around since the mid-’90s. Furthermore, its tactics and strategies are largely unchanged over the last 25 years — save for slightly improved graphics and copyediting. Yet, 75% of organizations experienced a phishing attack in 2020 — and 74% of attacks targeting US companies were successful.
How can this be? The answer is frustratingly simple: IT Security departments are still unable to get out of their own way when it comes to developing, implementing and running cybersecurity engagement, training and preparedness campaigns. I’ve seen far too many brilliant engaging campaigns get squashed by the group-think that occurs when content goes through round after round of reviews with multiple stakeholders. The process frequently drains every last compelling drop out of content that started as a really good idea.
Human error is a significant contributing factor in over 90% of cyber breaches, but too many organizations aren’t using training and awareness content designed for most humans. Humans have short attention spans, are easily bored, like to laugh (cat videos, anyone?), and like things to be easy. And honestly, once you really get into it, cybersecurity is fascinating, so there’s no excuse to be boring.
Here are a few areas that undermine a business’s ability to build the strong security training and awareness programs needed for today’s threat environment.
Day-to-day backend cybersecurity execution may be technical, but getting people to buy into cybersecurity best practices is not. In a world where most marketing content strategy and activation tactics have become more sophisticated and creative, the same cannot be said for cybersecurity. There are an astounding number of cybersecurity “engagement” strategies today that look like technical manuals. They may work within IT departments where efficient guidance is paramount. But unfortunately, they don’t work well outside the IT sector. Simply saying, “do this, because I said so” is not the way to get everyday people to act. Instead, we need customized strategies to drive engagement much as a sales funnel operates — nurturing employees along the way to conversion. Successful campaigns like this do not exist at many organizations, which is largely why cybersecurity engagement remains a challenge.
Two characteristics of high-functioning organizations are established departmental boundaries and strong interdepartmental collaboration. Yet frequently neither is evident in the typical business approach to cybersecurity with departments competing with one another. This can be true for training and awareness programs when it comes to the relationship between HR, corporate communications and Security. For example, it is common for corporations to run phishing exercises to test how well employees can identify phishing threats and identify those who may need extra training. If the same people fail subsequent tests, security teams often demand harsh sanctions. The problem is, these types of decisions are not the job of the security team; they more properly reside with Human Resources. On the flipside, security departments have a clear understanding of present threats and what best practices should be in place. However, corporate communications teams often get accused of overstepping the mark and overediting guidance from security, thus making it less effective and unclear, or even worse, less compelling.
The way to build cybersecurity defenses is through cohesive and collaborative messaging and tactics. Of course, it can be frustrating when employees fall for phishing emails, but Security departments should provide information on repeat clickers to HR and work on an escalation plan that ultimately HR and the business will own. This will foster mutual respect and lay the groundwork for collaborative progress toward a more secure workplace.
There is a common misperception in regards to cyber education and awareness training: training materials and sessions are boring, uneventful and easily forgettable. The truth is, cyber education and awareness training is only as drab and forgettable as you make it.
The cybersecurity education and awareness category is light years ahead of where it was even a couple of years ago. With new engagement methods ranging from scavenger hunts and games to live action content, there is no shortage of tools and assets available to businesses looking to bring their preparedness training to the next-level.
Unfortunately, businesses continue to struggle to integrate many of these “new age” tools into their cyber education protocols. Delivering effective cybersecurity awareness education and training is an end-to-end proposition. So while delivering compelling content is a great first step, to truly maximize content strategies they need to be paired with engaging training tools. If not, businesses are depriving employees of the valuable experience that they need on a day-to-day basis.
Cybersecurity hygiene is not easy. But by continuing to focus on external challenges rather than internal missed marks, businesses are set for a long, hard road. The good news is that IT teams are as innovative as ever, and there has never been more interest among the business community in cybersecurity. These two elements by themselves provide a great starter for success. If we can build on them by removing existing barriers, the future for business cybersecurity can be far more stable and secure.
Lisa Plaggemier is Interim Executive Director of the National Cybersecurity Alliance.
MAIN IMAGE SOURCE: pxhere.com
Sed ullamcorper posuere tellus, a semper leo venenatis a. Mauris suscipit risus et diam dignissim hendrerit. Donec risus neque, rutrum nec rutrum id, sollicitudin quis arcu.