Moving from Cybersecurity Awareness to Cybersecurity Careness

Given that human error is still responsible for more than 90% of security breaches, can we agree at this point that the current security awareness model of videos followed by a quiz at the end is not working? If we need to use a carrot or a stick to get users to complete cybersecurity awareness training, then we have lost before we even started. The onus is on cybersecurity leaders to develop awareness programs so compelling, that people want to complete it!

From time to time, I encounter aspiring cybersecurity professionals. Many times, this is the theme of the conversation: I have been studying cybersecurity for the past 12+ months, I have been applying to X number of jobs, but I am not even getting an interview.

Awareness is concerned with knowledge and understanding. Therefore, when we do security awareness training, we make people aware of what they need to do by educating them. However, there are several examples to prove that awareness does not always influence behaviour. Global leader and security awareness expert, Anna Collard once used the example of the speed limit to illustrate this. She said that most people know what the speed limit is, but they speed anyway because they do not care. Similar examples along this theme may include smoking or eating unhealthy food. In all of the examples mentioned, we can safely assume people are aware of the potential risks and dangers, but for a variety of reasons they choose to do it anyway. We could argue that they do not care.
Considering the definition of care: a serious attention or consideration applied to doing something correctly or to avoid damage or risk. Could it be that our focus has been misguided? Could it be that we should be focusing on security careness, instead of security awareness?

To strengthen the human firewall, supercharge your awareness program, and reduce risk to your organisation, consider the following guidelines:

1. Start with governance

Define a security awareness standard. The standard must include the scope, objectives, and Key Performance Indicators (KPIs) of the programme.

2. Senior leadership support

Senior leaders must regularly echo the importance of cybersecurity within the organisation. This could be via email, at town hall meetings, or on posters. Executive level support is likely to assist with effecting culture change within the organisation.

3. Segment staff based on risk

Board members and their secretaries pose a different type of risk as compared to service desk. Grouping users by risk allows for messages (and the frequency of messages) to be tailored to the user group. The type of assessments can be tailored to simulate real relevant risks.

4. Establish a champion program

A cybersecurity champion programme allows for a group of users embedded in the organisation to drive the security message. These users will champion security from the frontline.

5. Tailor cybersecurity awareness per department

Human Resources (HR) and Payroll employees must be aware of impersonation attacks relating to changes in banking details for salary payments, while the Helpdesk must be aware of tactics trying to maliciously reset user passwords. For a cybersecurity awareness programme to be effective, it must contain a combination of general awareness content, and tailored content specific to the business processes of each department.

6. Use a variety of mediums

People learn differently, and they also at different levels of awareness and education. We need to understand the audience, their level of cyber awareness, and their preferred learning methods, i.e., in person sessions, online materials, self-study, and so forth. The awareness programme must include various different methods of delivering content.

7. Encourage users to report cyber incidents

The only thing worse than an employee making a mistake, is employees concealing mistakes. Creating an organisational culture where people are encouraged to report mistakes could be the difference between containing a cyber incident or not.

8. Regularly test effectiveness

This is often done with phishing simulations. Caution should be exercised on how results are interpreted. Users should not be humiliated for being caught in a phishing simulation. There should be a documented policy on how to deal with repeat offenders (users who consistently fail the phishing simulations). The policy must be fair, risk-based, communicated to all employees upfront, and be consistently enforced.

People are not the weakest link in cybersecurity.

People are constantly being targeted by cybercriminals, particularly as the adoption of technical controls such as Multi-Factor Authentication (MFA) make it more challenging for cybercriminals. Social engineering may appear to cybercriminals as an easier point of entry.
The KnowBe4 African Cybersecurity & Awareness Report 2023 found that one out of three employees is likely to click on a suspicious link or email or comply with a fraudulent request. Several studies suggest that human error is responsible for more than 90% of data breaches. Not surprising that the phrase “humans are the weakest link in cybersecurity” has gained momentum in recent times.
If we apply security architecture principles such as Defence in Depth, the failure of a single component of the security architecture should not compromise the security of the entire system. Security Awareness and training is a security control, and the fact that a failure of this single control often compromises the security of the entire system highlights the underlying problem: failing to architect securely. Security practitioners should architect systems on the assumption that humans will make mistakes.
Stress, multitasking, and distractions are some of the main reasons why users fall for social engineering scams, in addition to a lack of awareness. A user might be on a Zoom or Teams call while also responding to emails at the same time. Split focus increases the chances of human error. Therefore, the link between employee wellness and cybersecurity awareness must be explored; mindful, relaxed, and calm employees are more likely to spot a social engineering attack.
When adequately enabled, users can be an extension of the security team. Security teams must equip users with the tools to detect and report suspicious behaviour and create a culture in which acknowledging mistakes will not be met with judgement, humiliation, or unreasonable punishment.