When history comes to be written about the current decade, the past few months may well mark a turning point. Exactly how remains to be seen, but one thing has become abundantly clear: the way organisations work may never be the same again. This matters a great deal for CISOs, because if you were worried about insider threats before, the same risks could be many times greater among workforce working from home.
This is where user awareness training comes in. But simply putting a blanket scheme in place may not work — some employees don’t break the rules out of ignorance but because they’ve made a conscious decision to do so.
With the risks less related to education and more to psychology, it’s time for organisations to take a more nuanced approach to employee security training.
Breaking the rules
A recent global study of 13,200 remote workers in 27 countries found that although awareness of cyber-related risks is high, many employees choose not to conform anyway. A majority (85%) say they take instructions from their IT team seriously, agree that cyber security is partly their responsibility (81%) and even claim they have become more conscious of security policies since lockdown. A majority (64%) also recognise that using non-work applications on a corporate device is a security risk.
The role of IT teams in helping businesses thrive in today’s new normal
Yet over half admit to doing just that, even uploading corporate data to these apps. Other security issues respondents admitted to include using work devices for personal web browsing, accessing corporate data from a personal device, and even accessing adult content and dark web sites on work devices.
It’s easy to understand why employees do what they do. CISOs have always had trouble convincing them that productivity and protection are not mutually exclusive — that users can do their jobs just as effectively by following policies, accepting security controls and using pre-approved apps and devices, and especially while working from home, the shift to productivity at all costs has threatened to disrupt this delicate balance.
It comes as cyber criminals look to capitalise on distracted home workers, unprotected endpoints, overwhelmed VPNs, and distributed security teams who may be forced to focus on more pressing operational IT tasks. Google is blocking as many as 18 million Covid-themed malicious and phishing emails every day. It takes just one to get through and convince a remote worker to click, and the organisation may be confronted with the prospect of a debilitating ransomware outage, BEC-related financial loss, or damaging data breach.
With many organisations struggling financially in the wake of government-mandated lockdowns, few will welcome the costs associated with a serious security incident.
Four in five IT sector firms have seen increase in cyber threats — Specops
Four cyber security personas
Best practice cyber security requires a combination of people, process and technology. However, the people part has historically been neglected, which is one of the reasons why phishing attacks are today the most popular cyber crime threat vector. Training programmes are too often one-way, one-off affairs, which may raise awareness for a short time, but do little to actually change behaviours in the long-term.
Part of the reason for this failure is that they assume all staff members are basically the same. Of course, they are not. According to Edge Hill University Cyberpsychology Academic, Dr Linda Kaye, there are four key employee personas based on their cyber security behaviours.
• “Fearful” employees are nervous about wrongdoing that might expose their organisation to cyber risk. They’re highly accountable for their own behaviour, even if they don’t know what the risks actually are and how to manage them.
• “Conscientious” types are probably the CISO’s dream: they understand cyber-risk and act on advice, not just avoiding risk but taking steps to proactively manage it.
• On the other hand, “ignorant” users are a major risk because they combine a lack of cyber awareness with minimal personal accountability for their own actions. Their risky behaviour, however, is rooted in their lack of understanding.
• More dangerous still are “daredevil” employees who break rules not because of their ignorance, but because of perceived superiority. Others should be accountable, but not them, they believe.
A nuanced approach
So what can CISOs do with this information as employees continue working from home? Certainly, different strategies may work best with different character types. Fearful staff members may react well to real-world simulation exercises, which allow them to try and experience things that they wouldn’t normally. They may also benefit from being mentored by conscientious personas, who can be used as security champions in the organisation.
Former Bank of England CISO talks cloud security and his new role at METCloud
Ignorant users need training and practical advice on how to mitigate risks. To keep them engaged, it may be necessary to use gamification techniques, or again those phishing simulation exercises, which can be updated each time to reflect current scams. It’s also important to recognise that these personas may require additional intervention to help them understand the consequences of risky behaviour. Daredevils are perhaps the most challenging as they don’t respond well to authority. However, even here, CISOs can achieve promising results, perhaps by using reward schemes to change behaviour.
Ultimately, no two organisations are the same. CISOs will need to approach this task according to their risk appetite and the type of tasks staff working from home undertake. The most important thing to bear in mind with user training is to keep lessons short and regular, and act on the feedback you receive to continuously improve courses. These should never be a chore for employees. With a more considered, personalised approach, CISOs can change user behaviours and build both an effective first line of threat defence and a security-aware corporate culture.