Three Pillars of Cyber Security: People – Process – Technology are the core components necessary to address the risk associated with business and cyber security.
Unfortunately, technology alone is not the answer to addressing security risk mitigation. Do not get me wrong, technology is essential in addressing the top 95% of threats. Correctly built, configured, patched, and managed security technology solutions are paramount to addressing security.
Zero trust mentality is important to ensure that trust is earned, not offered.
Technology and processes can usually stop around 95% of the threats. That still leaves 5% of attacks coming into your organisation through your people.
People are responsible for more security breaches than the other two combined. More than 95% of all breaches are because of people.
Now, we all know that Security Awareness Training is the solution to this. Run a computer-based course once per year with your staff and all your problems are fixed. Right? – Wrong.
Security awareness training, whether it is run once a year to tick a compliance box or run continuously throughout the year only addresses one small section of the problem.
Have you noticed that when people accidentally click a phishing email, they delete the email? Often, of the mindset that if they delete the bad email, it will prevent any damage from occurring.
Effectively, they are trying to hide the problem, but this is the worst thing that they can do. The malware has already done the damage that it was intended to do.
What we really want is to address how people behave and the culture that they work in.
We need to look at how people behave in and how they respond to certain circumstances, stimuli, and situations. Knowledge/awareness alone will not change an organisations risk profile. Just because someone has knowledge does not mean that they will do the right thing. If their attitude is wrong, or the corporate culture is bad then their behaviour will be in conflict with their knowledge. A change in behaviour is the only tangible way to address this component of security risk.
Behavioural change comes with knowledge through attitude, impacted by corporate culture to behaviour.
What is even more important is, with knowledge / awareness alone, there is no way to measure the success of the campaign.
How can you measure your security awareness training program’s return on investment when you have no metrics against how people react, respond, think, or feel?
To truly address the people component of security, measurements against attitude, behaviour, culture, and knowledge need to be made.
Until we all take Security Behavioural Programs seriously, where continuous measurements, refocusing, attitudinal encouragement, and a focus towards positive culture-based behaviour, human beings will continue to represent a significant component of security breaches.
It is important that Board and executive management are well-informed regarding cyber security risks and their organisation’s preparedness to prevent, detect and respond.
To assist you in reducing your risk to security breaches, Cypro has developed a comprehensive framework utilising advanced methodologies, tools, and systems to provide a comprehensive security knowledge, attitude, and behaviour “awareness” program. As a component of the program, Cypro implements this security program in accordance with the control requirements of NIST and ISO27001.
This overview should hopefully assist your organisation to better understand how to address the need to reduce the impact of human error.
This framework is based upon an enormous amount of research, and many discussions with government and corporate organisations ranging from 10 staff to 10,000 staff over the past 12 years.
The program encompasses establishing a baseline via an online assessment, simulated phishing, spear phishing, whaling and SMS attacks used to identify the repeat offenders as well as teaching moments.
To start the change in behaviour, journey the output of the baseline is used to focus staff / departments into key areas of need, the provision of tailored panel and board discussions, induction courses, tailored training courses run continuously to not impact staff time and availability. Reinforcement materials is incorporated, as well as continuous assessment and testing, and finally a comprehensive ROI of the success of the program.