Almost $7 trillion was lost in 2021 from cyberattacks, according to the FBI, and over the last 5 years the number of cyber-related complaints has increased by more than 180%. With seemingly no end in sight, the cybersecurity industry is increasingly looking to address the root of the problem; humans. According to the 2021 Data Breach Security Report from Verizon, 85% of successful cyberattacks involved some form of human element. Therefore, the adoption of cybersecurity training is no longer optional, the only question is what types of training actually move the needle?
A growing number of new regulations now require many businesses to add ongoing education to their security programs. However, a growing number of security officers are reporting that many of these one-size-fits-all training systems are falling short. Without changing online employee behavior, security training fails to deliver a return on one’s investment.
“You can’t really solve the problem unless you account for the fact that people react differently to the same type of threat,” says Marc Leckman, director of IT for Wesdome, a Canadian mining company with more than 500 users often in remote locations. “Current training programs are just too one-dimensional and don’t take the human element into account.”
The human firewall
“We’ve been focusing on how to increase the level of awareness and education for a while, but the weakest link is always people; what I call the ‘human firewall,’” stated Kin Lee-Yow, CIO of Canadian Automobile Association Club Group (CAA), one of the country’s largest not-for-profit associations. With thousands of employees across the country working in retail stores, call centers, corporate offices, and accounting each of which is vulnerable to a serious breach.
The fact is that even the best technology can only thwart about 93% of attacks, leaving a large hole in an organization’s basic security hygiene. A gap where employees are depended upon to make split decisions and failure to choose correctly puts disaster just a click away.
This has led to a growing demand for training programs that rely on behavioral science to measure and manage cybersecurity risk as a distinctly different solution from generic, one-size-fits-all training programs. These programs focus on training the right person at the right time about their specific risk profile to generate and sustain a change in behavior.
Lee-Yow recently discovered a cyber-training program that utilizes machine learning to develop a customized approach for each employee. The CAA Club Group was able to correct key motivating factors that drive underlying online employee behavior. This has greatly reduced the instances where an employee falls victim to a cyberattack that could devastate a company’s reputation and bottom line.
Forming good habits
“We are now attacking it from a completely different angle,” says Leckman. “Beginning with the personalized risk assessment provided by cyberconIQ, and their accompanying dashboard, we can ascertain the risk makeup of our employees and strategically plan our next investments based on those results.”
Based in York, PA, cyberconIQ was one of the first companies to merge psychology and technology in order to measure and manage cybersecurity risk. The company’s assessment, training and education have been tested by a 3rd party and are proven to reduce the risk of a successful attack by 45-90%. This creates a measurable ROI on security executives’ training expenditures.
“I liked the fact that every employee is given a 40-question assessment, kind of like a Myers-Briggs personality test,” says Lee-Yow. “This gave us a tool that assessed every individual from their own risk standpoint, and from there we could show them how to better protect themselves. And going one step further, how to create good online habits.”
While good habits are not formed overnight, Lee-Yow says he has found the ongoing education – which includes delivering new materials regularly – and simulation drills to be an effective departure from generic training programs he has used in the past.
“We can actually measure improvement,” says Lee-Yow. “For example, we conduct regular phishing tests and if someone fails, we can follow that up with a program that reinforces and rejuvenates that employee on best practices.”
Lee-Yow says that the CAA Club Group has been using the education assessment and training program for more than 18 months and is quite pleased by the results.
Conversely, Wesdome is still in the early stages of its personalized cyber-training journey. Leckman was looking for a consulting partner who could first help him determine his existing corporate risk profile. After this assessment was complete, he was able to demonstrate to his executive peers and the company’s board of directors that improving their cybersecurity practices was critical.
“From a director standpoint, breaking down the results of that assessment showed me where we were at a higher risk, where we had lower risk, and where our budget was best spent,” explains Leckman.
This ability to measure risk-adjusted ROI on improvements in maturity is persuasive for those who control budgets and spending, ensuring cybersecurity improvements are targeted appropriately for additional funding.
The key for Wesdome was finding a solution that delivered an ROI. Not in the form of immediate payback, but instead from the long-term opportunity costs associated with reducing the threats to which they are exposed.
As part of that, both Leckman and Wesdome have decided to further enhance security measures, and thus lower their risk profile, by utilizing cyberconIQ’s risk advisory team.
“This is really priceless when it comes to someone in my role,” explains Leckman. “Now I have multiple specialists that I can sit down and talk with. It is like I expanded the IT department.”
Lee-Yow also realized that changing behavior through targeted education is crucial for reducing risk and therefore saving an organization from the monumental costs associated with a cyberattack.
“When the massive amount of costs, compliance, and other aspects of an attack are taken into account, it is obvious that personalized intervention is what the industry needs,” concludes Lee-Yow.
Time is of the essence in addressing these matters given the constant escalation of new threats and new techniques being deployed to hack and attack organizations globally.
In fact, a successful cyberattack now costs an average of $4-million per incident according to IBM’s 2021 Cost of a Data Breach Report. Mimecast, meanwhile, reports ransomware demands on U.S. businesses now eclipse $6-million on average. For small businesses (under 250 employees), this type of attack results in bankruptcy 60% of the time.
Surprisingly enough, even though it is technology that produces the cybersecurity issues in the first place, most organizations are still relying solely on technology to mitigate cyberattacks. Yet, technology alone is unlikely to solve what is essentially a human problem and where the biggest shortfall is often found in an organization’s human defenses.
Given the huge global shift in working and learning remotely, teaching mindfulness should now be a critical component of any security awareness training. Knowing what to do to avoid risk and successfully applying that tactic when an actual threat appears is the key to keeping an organization and its employees safer online.
“We are all human. We all make mistakes,” Lee-Yow said. “However, we believe that mistakes can be greatly minimized with the proper employee education and effective follow-up.”