In an era of increased digitalization and ever-evolving technological landscapes, organizations face unprecedented challenges in safeguarding their valuable data and assets from cyber threats.
According to the Cost of Data Breach Report 2023 by IBM, the average cost of a data breach reached an all-time high of USD 4.45 million, marking a 2.3% increase from the previous year and a significant 15.3% increase from 2020. This alarming trend emphasizes the urgent need for organizations to bolster their cybersecurity defenses to mitigate the financial and reputational risks associated with cyber incidents.
“95% of cyber events are caused by human error “
– World Economic Forum Global Risk Report
However, a technology-centric cybersecurity approach falls short in addressing modern risks. While most companies have adopted security tools and systems as part of their cybersecurity strategy, they often overlook the most critical risk factor: the human element. Human error, negligence, and lack of awareness remain the primary drivers of security breaches, making human risk the biggest cyber vulnerability for companies today.
To effectively address human risk and enhance cyber resilience, organizations must shift their focus towards cultivating a cybersecurity-centric culture and mindset among employees. This requires investing in change management initiatives and education programs that empower employees to recognize and respond to cybersecurity threats proactively. By fostering a culture of security awareness and accountability, organizations can significantly reduce the likelihood of security incidents and strengthen their overall cybersecurity posture.
What do organizations need to do to effectively manage the human side of change and strengthen their cyber resilience?
1) Start by making sure there is a clear definition of what resiliency means to your organization.
Prior to initiating change management efforts, organizations must first understand what cyber resiliency means to them. Cyber resilience encompasses an organization’s capacity to foresee, endure, react, and adjust to cyberattacks. Achieving this requires a thorough comprehension of factors such as risk tolerance, regulatory requirements, and the classification of data and assets, among others. By delineating resilience objectives, organizations can construct a coherent framework for their change management initiatives, ensuring they align with security priorities.
2) Conduct a current state assessment and define your cyber culture vision.
The initial step in organizational change management is grasping the current security culture. How aware is the organization in identifying and mitigating risk? How prone is the organization in behaving in a way that reduces cyber risk? To gain insights into employees’ attitudes, behaviors, and security awareness levels, organizations can utilize methods such as surveys, interviews, focus groups, or tests. Perspective on compliance with security standards can be obtained by reviewing risk assessments and audits, conducting phishing campaigns, and monitoring the frequency of security incidents.
Once the current state has been assessed, organizations can embark on defining the desired cybersecurity culture. What does a cyber security resilient culture look like for my organization? What type of secure behaviors do we want to incentivize? Gaps between current state assessment and the desired cyber culture will determine where to focus change management efforts.
3) Develop a change story.
Use existing cultural elements and organizational values to develop a compelling change story that explains why security matters. Why is security relevant, and why is it crucial to mitigate cyber risks? When conveying these messages, organizations can align them with core company values such as integrity, accountability, and customer focus, seamlessly integrating them with cybersecurity principles.
For instance, Tim Cook, the CEO of Apple, is a vocal advocate for user security and privacy, both externally and internally. He often asserts, “We believe that privacy is a fundamental human right, and thus we embed it into every aspect of our work.” By aligning Apple’s values with broader societal concerns regarding privacy and human rights, Cook emphasizes the significance of user security and privacy as fundamental principles that dictate the company’s decisions and operations.
4) Obtain leadership and management commitment.
Visible leadership support is critical to set the tone of cybersecurity efforts. If security is not important to leaders, why should it be important to employees? Leaders should lead by example, actively engaging in security training, staying updated on cybersecurity developments, and advocating for security within the organization.
Additionally, leadership must prioritize cybersecurity in decision-making processes. According to Cisco’s Security Outcomes Volume 3 Report, organizations lacking strong executive support have security resilience scores 39% lower than those with robust C-suite backing. This highlights the need to allocate sufficient resources and budget tailored to the organization’s size and complexity. Furthermore, it involves supporting reward and recognition programs, investing in training initiatives, and integrating security into key business discussions, such as technology investments, system development projects, and decisions regarding third-party relationships.
5) Invest in a robust role-relevant security training and awareness program.
Training lies at the heart of a cyber-conscious culture, empowering employees with the necessary knowledge and skills to embrace secure behaviors and mitigate risks. However, despite the widespread implementation of security awareness and training programs, Fortinet’s 2023 Security Awareness and Training Global Research Brief revealed that 56% of leaders believe their employees lack cybersecurity awareness. This discrepancy underscores the limitations of traditional training methods, which often fail to drive behavioral change due to their emphasis on compliance, one-size-fits-all approach, and reliance on generic, static content.
To address these shortcomings, training programs should be tailored to specific roles and regularly updated to address evolving cybersecurity threats and regulatory requirements. Companies like Google, Microsoft, and Cisco have embraced role-based training approaches, customizing content to fit the unique risks faced by different roles or departments and incorporating real-world scenarios. For instance, employees handling personal, healthcare, or payment card information should receive compliance-focused training, while high-risk roles such as C-level executives, Finance, and Human Resources may require additional specialized training.
Effective training programs prioritize employee engagement and interaction. Interactive elements, such as phishing simulations, social engineering attack exercises, and tabletop scenarios, provide hands-on learning opportunities. Incorporating gamification elements into the program and using real-life storytelling examples to illustrate the consequences of non-secure behaviors can be highly effective at engaging employees and reinforcing cybersecurity awareness.
6) Recruit security advocates within the organization.
Creating an internal security community is pivotal for instilling the importance of security across the organization. Members can serve as role models and the primary resource for security inquiries within their respective functional groups and the organization at large. They can also play a key role in disseminating security communications and delivering training, often achieving more influence than security officers. Furthermore, their insights into current cybersecurity risks facilitate the customization of training programs and contribute significantly to risk mitigation efforts.
7) Address any barriers to secure behaviors.
“39% of employees find cybersecurity controls and policies hard to follow.”
– Gartner
Identifying organizational barriers that hinder the adoption of secure behaviors is critical for enhancing cybersecurity within the organization. For example, employees might hesitate to report security incidents due to fear of repercussions or uncertainty about the reporting process. Additionally, long, and complex password policies could lead to password fatigue, prompting employees to resort to password reuse, which compromises security. Addressing these barriers is crucial for fostering a secure work environment and protecting sensitive information. To mitigate these challenges, organizations can implement anonymous reporting channels and provide clear guidelines on how to report security incidents. Simplifying password policies and offering password management tools can help alleviate password fatigue and reduce the likelihood of password reuse. Creating an open culture where employees feel comfortable providing feedback is essential. By encouraging regular communication and soliciting input from employees, organizations can gain valuable insights into the challenges they face and work together to find effective solutions.
Conclusion
Ultimately, the success of a cybersecurity program hinges on the collective efforts of employees who understand the importance of security and are committed to upholding best practices in their daily work. By investing in change management strategies, organizations can not only mitigate risks and protect their assets but also cultivate a culture of resilience and adaptability in the face of evolving cyber threats. In today’s digital age, where the stakes have never been higher, proactive investment in security culture is not just a competitive advantage—it’s a necessity.
Resources:
- World Economic Forum – Global Security Outlook Report 2022
- Cisco’s Security Outcomes Volume 3 Report Dec. 2022
- Fortinet’s 2023 Security Awareness and Training Global Research Brief
- 4 Ways to Achieve Secure Employee Behaviors – Gartner
