In business today, we are all aware of the potential risks that humans may present to an organisation. Over the last decade, we have seen a significant change in human behaviour driven largely by the evolving nature of threats, regulatory enforcement and the increasing reliance on digital technologies.
As organisations and individuals grapple with the complexity of reducing the likelihood of risk, safeguarding information and systems, the need to better understand the shift in human behaviour has become crucial.
The increase in regulations has not only mandated changes in organisational practices but has also significantly influenced individual behaviours within those organisations.
The enactment and enforcement of stringent cyber security regulations and standards have played a pivotal role in shaping a culture of security awareness and compliance.
This article examines the pivotal changes in human behaviour regarding cyber security over the last ten years, highlighting the role of awareness, the impact of regulatory changes, the impacts of technological advancements, and the strategies adopted to combat cyber threats.
Enhanced Awareness and Education
A decade ago, cyber security was often considered a niche concern, primarily the domain of IT departments.
However, the surge in high-profile cyber-attacks and data breaches has catapulted cyber security into the mainstream consciousness.
There’s been a significant shift towards recognising the importance of cyber security awareness and behavioural change across all levels of an organisation.
Companies globally have invested heavily in training programs to educate employees about phishing, malware, and other cyber threats. This heightened awareness has made individuals more cautious and proactive in their digital interactions.
The Rise of Social Engineering Attacks
As technical defences have become more sophisticated, attackers have increasingly turned to social engineering tactics that exploit human psychology rather than system vulnerabilities.
Over the past decade, there’s been a noticeable increase in phishing, spear-phishing, and other forms of social engineering attacks. This shift has necessitated a change in behaviour, with users becoming more sceptical of unsolicited communications and more vigilant about verifying the authenticity of requests for information.
Organisations have also started to simulate phishing attacks as training exercises to prepare employees for real attempts.
Sector-Specific Regulations
Overarching standards like ISO/IEC 27001:2022 has seen many organisations encouraged to achieve certification against this standard. Within sectors such as financial services, regulatory requirements such as CPS 234, and PCI DSS have been mandated. Within industries such as communications, data storage or processing, defence industry, energy, food and grocery, health care and medical, higher education and research, space technology, transport and water and sewerage, SLACIP Act 2022 has directly influenced cyber security requirements and subsequent, behaviours.
Compliance requirements have forced organisations to implement stringent security measures, from MFA to encryption to access controls. These regulations have also made employees more cognisant of their roles in protecting sensitive information, embedding security-minded behaviours in their daily activities.
Mandatory Breach Notifications
Laws requiring organisations to report data breaches, such as the NDB Scheme, have made transparency a critical component of corporate cyber security postures. Such requirements have led to a behavioural shift towards more proactive risk management and incident response strategies. Employees are more vigilant in reporting potential security issues, understanding that early detection and disclosure are paramount.
Vendor and Third-Party Risk Management
Regulations have also emphasised the importance of securing the supply chain. Organisations are now more meticulous in assessing the security postures of their partners and vendors. This scrutiny extends to contractual obligations, where security requirements are explicitly stated, and compliance is regularly monitored. This regulatory influence has made security a key factor in business relationships, affecting behaviours across corporate ecosystems.
Increased Accountability and Executive Responsibility
With regulations such as CPS 234 imposing potential fines for non-compliance and breaches, there’s been a shift in executive attitudes towards cyber security.
Cyber security is no longer just an IT issue but a board-level concern. This change has led to more resources being allocated to cyber security initiatives and a greater emphasis on cultivating a culture of security throughout organisations.
Enhanced Investment in Security Technologies and Training
To meet regulatory requirements, organisations have significantly increased their investment in cyber security technologies and employee training programs. This investment has made the use of advanced security tools more widespread and has normalised continuous security education and awareness among employees.
Adoption of Multi-Factor Authentication (MFA)
One of the most significant behavioural changes in cyber security practices over the last ten years is the widespread adoption of multi-factor authentication (MFA). MFA adds an additional layer of security by requiring users to provide two or more verification factors to gain access to a resource, such as a physical token, a fingerprint, or a one-time password sent to a mobile device. The growing acceptance and use of MFA reflect a cultural shift towards prioritising security, even at the expense of slight inconveniences.
The Shift Towards Remote Work
The recent global shift towards remote work has dramatically altered cyber security behaviours. Remote work has introduced new challenges, such as securing home networks and using virtual private networks (VPNs) to access corporate resources securely.
This transition has necessitated a shift in behaviour, with individuals becoming more conscious of the security implications of their home computing environments and the need for secure practices, such as regularly updating software and using strong, unique passwords for different services.
Increased Dependency on Mobile Devices
The proliferation of smartphones and tablets has changed the way people access and share information. With the convenience of mobile devices comes the increased risk of security breaches.
Over the past decade, there’s been a behavioural shift towards securing mobile devices, recognising them as potential vectors for cyber-attacks. This includes the adoption of biometric security features, the use of secure messaging apps, and the cautious management of app permissions.
Conclusion
Over the last decade, human behaviour in cyber security has evolved significantly, driven by heightened awareness, regulatory enforcement, technological advancements, and changing work environments.
As cyber threats continue to evolve, so too must human behaviour, and the measurement thereof, adapt to safeguard against them. The journey from a limited understanding of cyber security to a culture that integrates security practices into daily routines reflects a broader shift towards recognising the critical role individuals play in the cyber security ecosystem.
Compliance has become a driving force behind the adoption of more robust security practices, fostering a proactive security culture. As regulations continue to evolve in response to the dynamic cyber threat landscape, so too will the behaviours they are designed to influence, ensuring that cyber security remains at the forefront of organisational priorities and individual actions.