In 2016, US furniture giant Haworth released a white paper making the case for how sensor-embedded workspaces can lead to a higher-quality work environment. Sensors are utilised throughout the day to gather information around occupancy and variations in the cognitive and emotional state of employees. This set of data then serves as a baseline to improve workspace efficiency and employees’ productivity.
Designing for behavioural change has become a lucrative trend and one of the best assets that a company can possess. Chances are all of us are now using a certain app, device or gadget to help us follow through a new resolution. These products are conceived to trigger a positive behaviour such as eating healthier, being more productive or fighting a bad case of the Mondays. Technology is now designed to get jobs done and humans are at the centre of that design.
The question is this: in the context of cybersecurity, can a behavioural-based approach lead to better defence mechanisms against cyberattacks?
According to leading industry and government reports, human error remains the main root cause of successful cyberattacks. In fact, 90% of data breaches are executed with information stolen from employees who accidently give away their system ID and credentials to hackers.
While this is the most common form of human error, it doesn’t just stop at falling in the trap of spear phishing or social engineering. Other behaviours causing fatal data breaches relate to poor password management, unsafe surfing and general carelessness.
Human error is also a major issue in IT departments as illustrated by the latest Verizon data breach that happened in July: six million users had their data exposed due to a misconfigured security setting on a cloud server. Most often, IT security analysts cite long hours of work and unclear responsibilities and ownership as the main reasons for failing to comply with the protocols.
It is now an established fact that technology alone doesn’t prevent human error nor does it promote safe behaviours. This ‘human-incompatible’ way of approaching cyber resilience is the reason why successful cyberattacks are on the rise. In fact, more often than not, real attacks exploit psychology as much as the technology.
In most cases, hackers tap into the irrational decision-making process that users exhibit while prompted by a security warning. When they are trying to accomplish a task and run into such a warning message, they will ignore it or try to bypass it in less than two seconds. It’s essential for us to understand how and why users fail at protecting their data and the company’s assets they work for.
It’s not a lack of communication and training by employers to raise awareness of the dangers – there’s plenty of that. Instead, it seems we need a different cyber defence framework that is designed around the behaviour of people.
A behavioural-centric approach is helpful in the context of cybersecurity as it allows us to understand the way we really interact with technology, so we can more readily observe the human biases and be more aware of their influences on us.
Armed with that knowledge, behavioural change gives us the tools to get ahead of the most common human errors and redirect behaviours that are needed to foster cyber resilience.
Cyber resilience is a balancing act between increasing secure and safe behaviours and reducing human error. Let’s start with a few misconceptions:
- Cybersecurity is NOT a “nice to have” – it needs to be part of the company’s vision.
- Cybersecurity is NOT an IT function – it has to be embedded in all functions.
- Cybersecurity is NOT about losing data that can be restored – it’s about the damage to your shareholder value and reputation.
Once these misconceptions are out of the way and the correct mindset has been established, we can focus on designing a framework tailored around behavioural change that can drive stronger cyber resilience. There are five key elements to this:
- Leadership commitment: Your C-suite has to signal to the organisation the importance of cybersecurity and commit to it financially and strategically. Signing off a cybersecurity budget is not enough to redirect employees’ behaviours. Leaders are expected to abide by the same compliance rules as anyone else and dedicate the time to understand the risks of a cyberattack. Since the 2013 Target cyberattack, the C-suite is now held accountable for protecting a company’s assets and maintaining customers’ and shareholders’ trust.
- Organisational structure: Your cybersecurity function needs to be fit for purpose to align with your overall business strategy while allowing for plenty of flexibility to proactively counteract and prevent future breaches. A direct line of communication between the chief information security officer and the CEO is key to stay informed and to react quickly in case of a breach. Also, cyber defence should be separate from the regular running and maintenance of the IT department. When it comes to executing cyber defence activities, roles and responsibilities have to be defined and distributed accordingly. This will help reduce errors within IT and ensure that cyber defence is executed on a regular basis as opposed to an add-on.
- Operating model: Your cybersecurity efforts need to be directed towards the rest of your organisation in a way that bridges the gap between the business and IT. A key indicator to a strong operating model is when everyone in the organisation knows what to do to enhance cyber resilience.
- Talent management: Your IT security workforce has to be well thought out in advance and recruited to acquire the skills and the human resources needed to achieve and maintain a state of cyber resilience. Advances in technologies will call out for a continuous sharpening of technical skills, but also of communication and management skills. IT and the business will need to work hand in hand to provide defence mechanisms that align with the overall strategy of the organisation.
- Culture: Your culture is a direct expression of your users’ behaviour inside and outside the workplace. Achieving a state of cyber resilience must become second nature and not device dependent. When staff realise their personal data is at risk as much as their employer’s, they will take extra precaution whether they are working from home or from the office.
Despite the continuous increase in technological spend, cyberattacks remain on the rise. It’s time to incorporate human behaviours into designing and executing cyber defence initiatives to achieve a stronger state of cyber resilience. Humans are a complex part of the organisation and cannot be controlled through technology. They can however become your best defence mechanisms if the technology is designed around their limitations.
As Cybersecurity Practice Director at change management consultancy Expressworks, Hend Ezzeddine has over ten years’ experience helping clients adopt and implement IT solutions. In the cybersecurity space, her work is primarily focused on the human element and leverages cognitive behaviours to reduce user errors and establish safer practices.