Strengthening Security Programs Through a Human-Centric Focus
- May 05, 2022
In an increasingly digital world with the continuous scaling of new technologies, one connecting factor is interacting with the technological ecosystem, driving increased complexity and risk every day – humans. Organizations focus on and prioritize process, procedure and technology capabilities to fight cybercrime, from intelligent automated interfaces to integrated access management. But generally, these same organizations under-invest and focus on the area’s humans influence the susceptibility or resilience of an organization.
Although advanced technologies certainly help protect businesses in uncertain environments, we believe that adopting a human-centric focus can significantly increase an organization's risk management capabilities while addressing the behaviors and human nature that make our society so vulnerable.
What is the true cost of risk?
Organizations are especially vulnerable to risk amid geopolitical uncertainty, an unprecedented pandemic, widespread remote work, and fast-moving digital transformation. Breaches are at an all-time high; from 2020 to 2021, leaders observed a 68% increase in data compromises. The prevalence of these security threats puts an organization's information at risk of being stolen and used for unintended purposes.
Security breaches have a significant financial impact as companies must pay for remediation efforts, legal lawsuits, fines, paying off ransomware, and lost business. The average cost of a data breach for a single organization is $4.24 million. However, this figure jumps to $20 billion in global damages from ransomware attacks alone for organizations across industries.
Although leaders may be hesitant to invest in human-centric risk programs, delaying these efforts proves to be significantly more expensive; in 2020 alone, 79% of organizations were hurt financially by their lack of cyber preparedness. The actual cost of risk is not just financial; it's reputational. These incidents cause reputational damage as customers lose confidence in the organization and fear their personal identifying information will be compromised. Current customers can leave, and future customers will likely seek out competitors they trust with their data.
Strengthening security programs through a human-centric focus
Addressing the human side of risk is one of the most effective yet undervalued risk management strategies. Employees often click links in phishing emails, end up manipulated to provide access and information during social engineering attacks, use weak passwords, accidentally download malicious hardware, or engage in frequent errors that cause security incidents. It comes down to generating the workforce's proper awareness, knowledge, and behavior to mitigate these risks.
As cybercriminals exploit these weaknesses to hack into sensitive information, incredibly 88% of security breaches result from human error, and 37% of attacks involve emails and letters as the root cause of breaches. To strengthen information security protection, companies must focus on better preparing their people. While investment and focus should continue, specifically on IT infrastructure, controls, and CISO-driven programs, the human factor remains a considerable risk. We see three areas of focus that organizations can immediately prioritize to start making an impact.
1. Align leaders and create visibility from the top.
Overall, the direction needs to be aligned with Chief People Officers and Chief Learning Officers. Forming a tighter and more formal link with Chief Risk Officers creates alignment for human-centric strategies focused on culture, awareness, and training specific to their company's enterprise risk profile.
Embedding a risk-based culture starts at the top. Leaders educated on specific risks can act as an accountable voice, promoting and communicating the importance of security. Companies must ensure that leadership is the face and voice of security as they lead by example in meetings and everyday behaviors.
Especially during challenging and uncertain times, Risk Managers have an opportunity to act as champions for an efficient risk management program. For example, during the beginning of the COVID-19 pandemic, teams turned to leadership for direction, transparency, and, most importantly — a plan. Strong leaders took this opportunity to evaluate risk and develop a strategy to protect customers, organizational assets, stakeholders, and employees.
2. Build a culture that will drive behavior and action to maintain security across the organization.
Most leaders understand that employee change and compliance don't happen in one day or with one training program. Instead, the best companies embed information awareness and risk-driven security into their culture. Culture drives beliefs and actions beyond what the best design controls can accomplish. Culture, as it relates to driving behavior, can be a “fourth line of defense” in managing overall risk. Therefore, leaders who wish to foster long-term behaviors must put risk as a focal attribute.
The first step to enacting sustainable cultural transformation is through awareness and education. Organizational risk awareness campaigns bring increased visibility to security threats and the associated risks through videos, newsletters, articles, and other mediums. Next, leaders must identify policies and procedures to enforce data privacy and security and ensure there are consequences to reinforce the behavior. Finally, organizations can align performance management processes tailored to leaders' roles, including data protection and prevention.
3. Deploy formalized, immersive training to build mastery of security threats.
Employee awareness and behavior rely on the quality and relevance of organizational communication and training programs. Organizations must revamp annual slide deck presentations to deliver engaging and realistic training that prepares teams for the modern risk landscape.
However, deploying mandatory risk and compliance training is not enough. If leaders want their teams to retain information, they can scale gamification techniques, such as leaderboards, to reinforce desired behaviors and increase participation. Training programs should be more engaging and relevant, moving away from dated e-learning courses. For example, scenario-based simulations bring awareness to different security threats and how to best respond in unique situations. Additionally, not all employees have the same risk profile, and as a result, training should be tailored across different roles and teams.
Lastly, make it personal. Personalized risk training deepens lessons and resources in protecting data. In these training sessions, employees may realize the importance of security protection in their lives outside of work to bring this mindset as they enter the workplace. This relatable content can drive engagement as employees learn to make their personal data more secure.
People might be your weakest link
According to Barry Kayton, co-founder of employee activation platform Cognician, “People are your weakest link when it comes to cybersecurity. Changing their mindset is your best defense against attack.” While conventional cybersecurity training is information-centric and potentially counter-productive, Cognician drives team members to take security-enhancing actions immediately, thereby reducing key security vulnerabilities.
“In a client rollout participants were encouraged to put new security practices into place, eliminating security risks. The 50 participants completed 83% of follow-throughs and made 178 key structural changes that materially increased company security. Furthermore, a follow-up health check three months later showed a 25% increase in overall security maturity.”
The future of cybersecurity and risk culture
As cyberthreats continue and criminals invent new techniques to compromise organizational information and data, we must expand the focus on IT security spending to include the human factor. From 2020-to 2021, spending on training decreased by 8%, while there was a 63% increase for businesses to use their IT budget on cyber security. We believe the future of risk management and compliance will be rooted in human behavior and organizational culture.
Train your teams and protect your assets, customers, and reputation from today’s top risks
Organizations and leaders can respond to today’s unpredictable risk management and regulatory environment. It’s possible to respond to threats to your business before it’s too late with data-driven proactive strategies, technologies, platforms, and processes that mitigate the fraudulent activity, safeguard your organizational systems and make regulatory compliance timely and straightforward.
Learn more about our Risk and Compliance Consulting practice.