Photo Credit: Joakim Berndes via Compfight cc
The internet is not a safe place for businesses to operate; the “bad guys” are winning the technology arms race, producing malicious software at a terrifying rate and delivering it by compromising previously trustworthy websites (which often isn’t as difficult as it should be).
A large proportion of successful attacks exploit the people in front of the computer rather than the computer itself. Targeted phishing emails sent to key staff or teams within an organisation are overwhelmingly likely to succeed in having someone (and it only takes one person) click on a malicious link.
This modern reality of cyber security makes it overwhelmingly important to maintain a security awareness programme to make sure your staff are able to spot potential threats and to respond in the right way.
Unfortunately, for many companies security awareness consists of an annual e-learning course and then a gaping hole of inactivity for the next 11 months. The course is likely to be generic and will be bought as an “off the shelf” product, so may contain information which directly contradicts company policies – for example, how can one course cover the “right” approach to USB sticks when no two companies are likely to have the same processes and controls in place?
Security awareness programmes have to learn lessons from other comparable disciplines – and one which is close to my heart is dog training. It’s a straightforward fact that trying to train a dog once every 12 months will not produce positive results. To change behaviour, you need to commit to a consistent training programme over several months.
Traditional approaches to security closely mirror dominance-based dog training techniques, which studies have shown either reinforce, or fail to change, undesirable behaviour. These negative reinforcement approaches try to teach what not to do (don’t growl, don’t bark – don’t email sensitive data, don’t use removable media or you’ll be punished). Even if people (or dogs) absolutely know that doing something is wrong, they may continue to do it if they’re not given an acceptable and positive alternative. We need to encourage people to exhibit the right behaviour (you’ll earn a treat if you don’t growl – here’s how your job gets easier if you transfer data another way) if we want to achieve a sustainable change.
Positive reinforcement doesn’t mean that you need to have a steady supply of biscuits on hand to reward staff who do the right thing – often just saying “thank you” to someone who reports a suspected incident will encourage them to do the same in the future. At TDX, we used incentives to support our e-learning course by giving £50 in Amazon vouchers to a randomly selected colleague who beat the first deadline for completion, resulting in a much higher early completion rate than we could otherwise have achieved.
Now is a great time to review your security awareness programme, and to make sure that it’s not just an annual checkbox exercise. By providing a regular flow of consistent messages to colleagues, incentivising good behaviour and acknowledging when someone does the right thing, you can achieve real behavioural change (and reduce risk to your business) at almost no cost.
