Creating a culture of ownership around security

We spend millions on technology to address cyber threats, but just a pittance on what matters most. While technology plays an offensive role in our cyber profile, we cannot fully protect our systems. There will always be someone to amaze us with their unexpected, innovative actions in a cyber-intrusion.

With that in mind, we need to increase focus on our own employees, a key component of our cyber profile and our first line of cyber defense.

Since employee mistakes contribute to upwards of 85% of data breaches, there’s good reason to turn our attention to them. With a data breach averaging $3.92 million total cost according to IBM, preventing employee mistakes provides a cost-effective approach – you reduce the risk of significant costs without much expense on the front end.

In this blog, I explore ways organizations can create a culture of ownership around security. Technology and people should converge to boost our cyber profiles. When they do, we lessen the chances of a successful cyber threat, and are well-equipped to handle them when they do occur.

Annual trainings are just the beginning

Annual security trainings aren’t enough, and neither are the company-generated scam emails to test employee awareness. Why rely on a once-a-year training for something so important? Why send test emails without emphasizing the potential consequences of falling for a phishing gambit? Training is not a one-time event. It’s a continual process that requires a variety of delivery methods, and we need to increase employee awareness of their role in cybersecurity by bringing it to the tops of their minds every day.

Include Cyber-awareness into all facets of employee experience, through methods like:

• Frequent messages on cyber threats
• Cyber-awareness content in recurring staff meetings
• Accounts of real cyber breaches, including how the attackers got into the network and the damage they caused
• Follow-up emails after phishing tests to highlight the results

Employees make mistakes, but we can fix this

The top reasons for employee mistakes in phishing are distraction, belief the email comes from an executive and the perceived legitimacy of the email, reports the Psychology of Human Error. We can educate employees through more frequent training sessions and by showing results from fake phishing emails, but we can also create a culture of awareness by normalizing it in daily conversation. Employees should ask each other, “Did you just get that email from HR? Is it a scam?” Create a buzz.

When you think about the number of your agency’s employees, but only focus on your cybersecurity office team as your cyber defense, you are not thinking about the reality of cyber. You should consider all of your agency’s employees part of your cyber defense.

Measure, measure, measure… and share

Front-line managers measure everything they can, with the exception of cybersecurity matters. With many data breaches caused by employee mistakes, we should decentralize awareness and prevention down to our teams. Managers should include security in weekly recurring meetings, and they can also start measuring messaging, employee awareness and employee actions. Don’t rely on expensive tech solutions. Rather, rely on your cybersecurity office extending to every employee: build their knowledge, validate their actions and reward their cyber secure behavior.

Hybrid work means more distraction

As our culture shifts toward a hybrid work environment, remote work can increase mistakes; this will only further emphasize the importance of addressing the lack of an intentional, security-focused culture among employees. The COVID pandemic contributes to breaches—through employee carelessness, limited staffing and a rush to adopt new technologies, a 2020 Verizon study found.

Even more, young employees are already easy to phish, and often times they’re onboarded remotely. While older employees may be more leery of phishing scams, they may also be less willing to acknowledge falling victim to a scam. This too is a matter of human psychology.  When employees work remotely, we need to do more to support their decision-making. Connect with them more often, have managers carry the message of cyber awareness and reward employees for asking questions before taking actions.

Think you’re ready?

Perform table-top simulations as a good practice for testing your cyber readiness. Run through a scenario of how to address a cyber-incident with your employees and see what actions they choose to take. Don’t just test your tech team’s actions – test your communications, your employee awareness activities and your approach for building employee diligence.

We spend so much time on the technical side of cybersecurity that we tend to ignore the people side. Remember, it’s the people we can more easily influence, and they are such a key part of avoiding issues in the first place. Don’t waste all that money spent on cybersecurity -- integrate your employees into the full solution.

CGI’s unique offerings in change management, smart business operations and technology consulting can help get you started. Contact Pat Pendergast at CGI to learn how we can support your organization in this work.