"However good a drug is, it is no good if people don’t take it or take it badly"
Dr. Anthony Fauci
What’s the deal with cyber hygiene?
As the cost of a data breach continues to increase, enterprises are tasked with continuously improving their cyber hygiene. Oftentimes, the focus is on cybersecurity tools and procedures, letting concerns about employee behaviour fall to the wayside.
We need to change our approach. Verizon reported that 82% of cyber incidents involved human error. And according to Reciprocity, only 55% of people are vigilant about cybersecurity when working from home. So, even if you have a VPN for remote workers, if they forget to use it before signing into their email, it’s rendered useless.
Not only does this put the business at risk but employees are impacted as well. Costly data breaches can lead to bankruptcy or closures, leaving staff suddenly unemployed.
Barriers to good cyber hygiene
Why is it so challenging to get company-wide buy-in? Let’s look at the similar issue of getting people to take their medicine.
At the recent 24th International AIDS Conference, the presentations talked about improving outcomes and new areas of research, including the use of mRNA vaccines to help flatten the spread of the disease. Last year 650,000 people died from HIV. We know how deadly the disease is, yet the largest impediment to halting its spread is getting people to take their medicine. In the US, only 40% of patients take their daily pill regularly – more than 90% of the time. Another 20% adhere to their routine “sub optimally” – meaning 80% to 90% of the time. The remaining 40% follow it poorly, taking the medicine lest than 80% of the time. Three out of five sufferers do not follow their doctor’s recommendations.
CISOs and security leaders must accept that getting employees to follow cyber hygiene recommendations is difficult. Human nature is very malleable, and not everyone is a security or technology expert. Forgetfulness, fatigue, and other structural barriers can introduce weaknesses in your first line of defence.
5 tips to improve cyber hygiene
Businesses need to address these three barriers when creating a strong cybersecurity strategy. For example, the closer the reminder is to the decision, the more effective the reminder will be. Resolving fatigue means designing security implementations to make doing the right thing easier than doing the wrong thing. To understand those other structural barriers, we need to research what it is that compels people to make an improper choice, then tune our cybersecurity interfaces to guide people to make the safe choice.
Here are 5 tips to achieve company-wide buy-in.
1. Lead by example:
Don’t pull rank and – unbeknown to IT – use your favourite app to conduct confidential business. Leaders are responsible for setting precedent and demonstrating what security looks like in everyday business practices.
2. Tell a story:
Storytelling is an effective method of communication. Not everyone is passionate about cybersecurity, so you can expect lots of glazed over eyes and turned-off cameras when you bring out the pie-charts. Instead of dry PowerPoints, build a relatable narrative that highlights a few recent incidents and how they impacted everyday business functions. For example, a story about a BEC incident that could shut down email accounts or took money out of the bonus pool would certainly get the attention of employees.
3. Encourage collaboration and questions:
Encourage information sharing across all teams. Set up an inbox that staff can forward suspicious-looking emails to instead of leaving them to their own devices. Some staff may feel too intimidated, or fear being judged by security experts to come forward and ask questions. Positive, supportive communication is vital to encourage staff to work with security teams.
4. Simplify security systems:
Don’t let complexity be a barrier. Remove friction by setting up system alerts to remind employees to change passwords, update software and hardware, backup data, etc. If possible, create guided tutorials to help less tech-savvy employees follow policies. These don’t have to be Hollywood-grade productions; marked up screenshots and concise instructions will suffice.
5. Monitor metrics:
Using gamification, competitions, or quick – keyword: quick – tests in security training helps you monitor which modules resonated and the knowledge levels. Furthermore, people are motivated by success. If your company-wide phishing test has great results, share those numbers with employees to encourage further vigilance.
Cyber hygiene is not a complex problem, but it is hard, which means we need to research them, understand the underlying barriers to clarity and understanding, and design solutions that support the safe choice.
Handling forgetfulness is not that hard. As an industry we are pretty good about reminding people to do the right thing – and studies have shown that when people get the information they need when they need it, their retention is very high. Fatigue is an easy problem to solve, as well – we have the expertise to guide people into making the right choices and structuring our interfaces to make them simple and easy to use.
As for the other structural issues, no employee comes to work hoping to mess things up. Nobody wants to make a costly mistake. Improving cyber hygiene will happen – not by accident but by research, by study, by analysis, and by design.