Point of View

Make employees your best firewall, not the weakest link in your cybersecurity chain

September 16, 2021

Our recent HFS Pulse Study revealed that cyber security is the number one area for deploying emerging technologies. Almost 40% of respondents have implemented emerging technologies at scale across the enterprise and plan to increase their investments significantly over the next 12 to 18 months.

While we can celebrate enterprises’ focus on cyber security, it does not appear to be enough. Threat hunters from CrowdStrike, a cyber security technology vendor, tracked a staggering 60% increase in attempted intrusions in 2021 spanning all industry verticals and geographic regions.

It is high time for CISOs, IT leaders, and business leaders to address the elephant in the room. Sorry I meant the human in the room.

While the focus on security is high, it’s still not enough

According to IT GRC security provider IT Governance Ltd, the total number of publicly disclosed security incidents in the UK in the first three months of 2021 increased by 50% compared to the same period last year. Data from the UK’s Information Commissioner’s Office revealed that human error caused 90% of breaches.

Enterprises are aware of the “human” problem, but they keep trying to solve it by deploying more and more advanced technologies.

The accelerated deployment of technology is not the answer to enhancing cyber-awareness and engagement of your employees. Enterprises must seriously invest in a more people-centric approach.

Stop demonizing employees, and start recognizing good behaviors

Positive reinforcement repeated at scale institutionalizes good practices, and ultimately good practices become the culture. Enterprises should stop scaring employees about cyber security for an obvious reason: it makes them uninterested in security.

The UK National Cyber Security Centre highly recommends that organizations focus on positive messages around what staff can do to help rather than just the consequences of doing something they shouldn’t. An employee successfully passing three phishing tests in a row is a great achievement that deserves recognition and acknowledgment.

Some enterprises adopt a positive social reward approach by publicly recognizing or rewarding employees who demonstrated good behaviors. Recognition could be as simple as sharing cases of employees doing the right thing via newsletters or other corporate communication channels. Employees could also earn monetary incentives for repeated good behavior, which could be anything from gift certificates to cash recognition awards.

Senior executives must lead by example and cannot delegate such responsibility

Senior executives firmly believe that cyber security is critical, with more than four out of five CEOs saying it is high on their agenda, but somehow many employees still perceive that they are not leading by example. A recent poll conducted on LinkedIn showed that 40% of the 246 respondents believe that management teams are not leading the way.

Many senior executives do not take time to understand security, or they simply ignore inconvenient security protocols they perceive hinder their productivity. According to a recent report by Constella Intelligence, one in four global IT security leaders have used the same password for work and personal use. The survey also found that nearly half of them connect to public Wi-Fi without using a VPN.

When leaders just talk the talk, it’s unrealistic to expect employees to walk the walk. Converting senior managers into cyber security evangelists should be high on the agenda, and the effectiveness of their cyber-aware attitude should be measured by independent risk and compliance functions.

An engaging “Beat the hacker” challenge is certainly more appealing than a mandatory “Click the next button” exercise

When it comes to evaluating the effectiveness of cyber security training campaigns, the measure of success for most organizations is one magic number—100% completion, on time. Security training typically comprises tick-the-box and point-in-time orchestrated assignments with one key objective: to meet compliance requirements. This mindset, unfortunately, gives enterprises a false sense of confidence that employees are adequately trained.

TalentLMS surveyed 1,200 employees on their cyber security habits, knowledge of best practices, and ability to recognize security threats. Out of the respondents that received cyber security training from their employers, 61% failed to take a basic quiz.

Innovative programs to drive employee engagement with security can be crucial

The old compliance-driven model directed at overloaded employees still appears to be the norm. Enterprises must invest in more innovative ways to engage with employees and ensure their skills evolve to respond effectively to increasingly sophisticated attacks.

Boosting cyber security awareness training with gamification or game-based learning is becoming a powerful way to continuously foster security-centric behavior. Security and compliance solution providers, such as KnowBe4, Proofpoint, or ThreatCop, now offer such features to make training more palatable and fun.

CISOs must communicate more effectively to impact user communities

We can summarize the communication approach many enterprises take with three words: exclusive, generic, infrequent.

An approach is exclusive when most cyber security communications are generally targeted and crafted for one specific group: the IT user community. Cyber security is far from being an IT-only problem; it is a business resilience problem. Technical and intimidating jargon makes it very difficult for any business user to understand and interpret essential messages.

One-size-fits-all messages will certainly not achieve the intended objective, and CISOs need to be specific to communicate effectively. Stakeholder-centric communications combined with storytelling techniques make cyber security relatable to more communities of people.

Infrequent communications allow information to become stale, doing very little to reinforce cyber security messages. It is crucial to ensure consistent and frequent communications to staff to remind them of best practices and share the latest trends. But it is also essential to find the right balance between frequency of communications and quality of messages.

The Bottom Line: It does not take too much effort to reinvigorate your cyber security culture. Start now!

Senior executives must demonstrate on a day-to-day basis what good cyber security hygiene looks like. Enterprises must put employees at the center of cyber security with personalized engagement, giving employees innovative methods to continuously learn, and recognizing good behaviors.

Sign in to view or download this research.


Lost your password?


Insight. Inspiration. Impact.

Register now for immediate access of HFS' research, data and forward looking trends.

Get Started