The surge in remote working during the pandemic transformed corporate cyber-risk. Suddenly, organizations’ network perimeter expanded dramatically. In many cases, most employees – if not all – were connecting from outside of company premises and security.
This increased cyber-risk, and organizations often responded quickly with technological solutions such as virtual private networks (VPNs) and two-factor authentication. With these and other tools in place, the increased risk from continued remote working is probably marginal. However, there is a much bigger and longer-term problem: poor cyber-hygiene.
Wherever they base themselves, outside-facing employees are any organization’s weakest cybersecurity link. Instead of looking for technical vulnerabilities within an IT system, most hackers’ first tactic is social engineering: tricking humans is simply much easier. This explains why surveys show that phishing emails are the most effective form of cyberattack. But it is not just email: hackers also use phone calls and SMS messages, or they simply convince a receptionist to let them into the building.
Unfortunately, most cybersecurity programs are not up to the task of embedding the cyber-hygiene that would protect against this kind of social engineering. Most organizations make employees go through quarterly training, and it is a necessary part of cybersecurity certification. But it is not clear that these really work. After all, what are people learning when they just click to answer a few simple multiple-choice questions?
Even if these lessons do stick in people’s minds, will they change behavior? There is a trade-off with productivity. An organization where employees are unable to log in might be the ultimate in security, but it won’t last very long. That might be an extreme example, but if security measures are too annoying, employees will find it unacceptable and try to circumvent it. However, emphasizing usability can undermine security. This is a balancing act that every organization struggles to pull off.
Three broad changes can help to put in place realistic cybersecurity training across the workforce.
First, programs need cross-functional cooperation, including from HR, IT, and related fields of training and information security. This will often require a substantial shift. The Chief Learning Officer (CLO) and Chief Information Security Officer (CISO), for example, have roles that do not traditionally overlap very much, but they will need to work together much more closely. And both human resources and CLOs rarely see cybersecurity as part of their roles.
This has to change. The first big step toward more effective cybersecurity training is for those in charge of training to become familiar with the topic and buy into its importance. Then, they need to forge strong partnerships with all relevant corporate leaders so that cybersecurity becomes part of the culture. These leaders must set the tone from the top.
Second, the training must be relevant to employees’ daily workplace experiences. Something purchased from an external partner and run once a quarter does not work, because it will not stick in the brain of a worker who is just reading and clicking. Instead, training needs to provide much more creative, emotionally engaging learning opportunities.
Realistic, real-life experiments are a good example of this. Given the threat posed by phishing, some organizations have, on their own or with the help of a specialist supplier, run fake phishing campaigns. Employees receive spam emails that appear genuine, seemingly from colleagues or other sources. The program then scores them on how they perform: whether they correctly report the message or click through on a potentially dangerous link. This kind of initiative can be an effective conversation-starter and will attract more attention than a traditional quarterly course.
Western platforms are also starting to make bets on live commerce. Amazon launched Amazon Live in 2019
Third, employees need to be given information that sensitizes them to the threat environment, so they fully understand the importance of cybersecurity. Sharing distilled summaries of organizational threat intelligence reports, for instance, can be helpful. If an employee hears that five out of 10 leading competitors have been breached within the past month, or that the number of observed attacks is rising, it will increase their interest in cybersecurity and improve their awareness of the operating environment.
And when the organization updates a machine’s security, it should take the opportunity to remind the employee of ways to update the cyber defenses of other technology, such as their phone. Otherwise, protecting just one piece of equipment can give them a false sense of security about risks to the network.
Human beings often think the best of others, and we do not want to change that. Instead, good cybersecurity training will equip people with ways to spot the bad actors that are trying take advantage of them.
The CDO, formerly a figurehead for regulatory compliance, is now a key driver of company strategy. Luca Condosta describes the essential skills that CDOs require to turn DE&I concepts into actual commercial...
The pandemic sparked a shift to remote work that’s proving hard to reverse. According to Prof. Manju Ahuja, hybrid models are the new norm—driven by employee expectations, technological advances, and a changing...
Use this diagnostic tool and roadmap to rebuild trust and confidence within dysfunctional teams – the first crucial steps toward a future of high performance....
Audio available
What to do when those in positions of authority behave in ways that contradict widely accepted norms of civility, empathy, and ethical leadership....
Audio availableExplore first person business intelligence from top minds curated for a global executive audience