Story image

Cybersecurity will only work if we put people first

07 May 2019
Sponsored

Too many organisations are looking for a technical solution to what is essentially a human problem. Even with the most sophisticated technology, organisations can only reduce exposure to intentional cyberattacks orchestrated by malicious actors to an extent. This is mainly because a company’s biggest security risk is unintentional employee negligence. 

The Office of the Australian Information Commissioner (OAIC) highlights that around one-third of the 812 data breaches reported to the Notifiable Data Breaches scheme between its introduction on 22 February to the end of December 2018, were due to human error. 

Gone are the days of ‘click and drool’ compliance

While awareness training has long been considered the best the way to educate employees about security best practices, traditional training methods on the whole are not effective. The content is often boring, outdated, long, and therefore unlikely to resonate with staff.

Employees that participate in these compliance-focused training courses tend to take a ‘click and drool’ approach, where the aim is to click through the course as quickly as possible, without actually taking in any of the information, ultimately leaving businesses at risk.

At the same time, lack of consistency also reduces the effectiveness of training courses. According to the Mimecast’s 2018 State of Email Security report, only 14 per cent of Australian organisations continuously train employees to spot cyberattacks, with 58 per cent of those surveyed admitting to only doing training quarterly or once per.

How to make good security behaviour stick

Organisations are at a critical juncture. They can either continue down the path of ticking a compliance checkbox or take an innovative approach to cybersecurity awareness training. There must be compliance and commitment from employees for good security behaviour to stick.

Awareness training needs to be engaging and persistent. Organisations can use analytics to capture the base line behaviour of employees when it comes to security compliance – or the lack thereof. The data can then be engineered into actionable information as part of a training program, ensuring that the details being delivered will be relevant to employees.

Introducing once-a-month training through activities such as one-on-one mentoring, live online training, roving departmental subject-matter experts, and gamification are possible alternatives. Humour through GIFs and memes can also be another effective approach.

When there’s substance and personalisation in awareness training material, it will resonate with employees and there will be greater willingness to continue with the program. 

The tone for any training program, however, needs to be set from the top down. There’s a responsibility at the C-suite level to be engaging, endorsing, and supporting the program. If there isn’t the weight behind them, training programs aren’t as highly valued, and are less effective. 

It’s clear that traditional training awareness programs are plagued by fatigue, which is ultimately putting organisations at risk from potentially being exposed to a cyberattack. By taking a human-centric, yet analytics-driven approach, organisations can change up these cyber security programs so that they are more human and can be personalised, engaging, and consistent.  

What the future of fibre looks like in NZ
The Commerce Commission has released its emerging views paper on the rules, requirements and processes which will underpin the new regulatory regime for New Zealand’s fibre networks.
Gen Z confidence in the economy is on the decline
Businesses need to work hard to improve their reputations.
Why NZ businesses have less than two years to adopt digital before disruption hits
Research found that digital disruption is already impacting two-thirds of New Zealand organisations.
Dell EMC launches interactive AI Experience Zones
The AI Experience Zones are designed to educate visitors about how to start, identify, and implement an AI project.
What NZ can learn from the Baltimore cyberattack
“Businesses must control physical access to their computers and secure their networks."
Infratil seeks clearance to acquire up to 50% stake in Vodafone NZ
The commission will give clearance to a proposed merger if they are satisfied that the merger is unlikely to have the effect of substantially lessening competition in a market.
Hands-on review: MiniTool Power Data Recovery Software
I came across a wee gem of advice when researching the world of data recovery. As soon as you get that sinking feeling and realise you’ve lost a file, stop using your computer.
Deepfakes the 'next wave of concern' - but can law really stomp it out?
Enforcing the existing law will be difficult enough, and it is not clear that any new law would be able to do better. Overseas attempts to draft law for deepfakes have been seriously criticised.