This is the newest installment of a recurring monthly guest column by Envision's COO, Jason Albuquerque, featured on Providence Business News. In this article, Jason shares his thoughts about cybersecurity awareness training.
We’ve constantly heard that humans are the weakest link in cybersecurity and that cyber awareness training is essential to solving this problem. But based on the alarming cybersecurity statistics that continue to be reported, it’s time for a radical change in educating employees on cyber risk. The growing number of attacks and increased sophistication of cybercriminals have upped the ante. People, their behaviors and cyber aware decision-making processes have emerged as the linchpin of an organization’s resilience. Despite the adoption of robust technical defenses, it is the vulnerability of humans that often opens the doors for hackers.
Recent statistics reveal that anywhere from 75%-85% of all cyber incidents involve a human cause. That shows that safeguarding organizations goes beyond simply securing the technology infrastructure, it necessitates the empowerment of the individuals within the organizations.
Traditional cybersecurity awareness training has fallen short. These “awareness programs” are often a “check in the box” exercise to show compliance and fail horribly in engaging employees in adopting strong cyber hygiene. This leads to a lack of awareness and a dangerous level of complacency.
There are so many challenges facing businesses today in cybersecurity awareness training and is why a shift towards a comprehensive human risk management approach is crucial. By diving deeper into the root causes of human error and exploring innovative strategies, we can transform cybersecurity awareness and reinforce the human element as a critical front-line defense.
Traditional cybersecurity training has been approached as a compliance exercise – hours of slideshow presentations or generic off-the-shelf courses that fail to engage employees and articulate why these training courses are critical. The result: the average user sees cybersecurity training as an inconvenience.
"Despite the adoption of robust technical defenses, it is the vulnerability of humans that often opens the doors for hackers."
- ENVISION'S COO JASON ALBUQUERQUE
Human risk management takes a comprehensive approach to address human risk, encompassing employee-tailored training, behavioral change initiatives, policy enforcement, and the utilization and adoption of technology. By putting a security-conscious culture at the top, this strategy empowers all employees to view cybersecurity as an embedded part of their duties, fostering a sense of ownership and vigilance. Ultimately cybersecurity needs to be part of the DNA of the organization’s daily work.
Organizations can start taking steps now to build toward a culture of managing human risk. With a human risk management approach, companies effectively identify, prioritize, and manage the top human risks specific to their business and culture. This fosters a sense of collective responsibility, encouraging staff to report any potential security risk and recognizing employees who make proactive efforts to maintain a cyber resilient business environment.
A well-designed program can allow businesses to create tailored education that alerts employees about the latest cyber threats and best practices that threaten their business. Having regular, engaging sessions, supplemented by real-world examples and interactive components of engagement, can foster a deeper understanding and drive positive behavior change. Educating employees on cyber risk cannot be treated as a once-a-year class but must be a constant journey. Designing a program that includes continuous learning opportunities, reinforcement exercises and simulated phishing campaigns can strengthen knowledge and instill a security-conscious mindset.
Business leaders must recognize that the human element is a critical factor in cybersecurity risk management. By embracing a human risk management approach and implementing more personalized strategies, organizations can empower their employees to become strong defenders against cyber threats. The shift towards human risk management is not only a necessary step in strengthening cyber resilience but also a transformative approach that cultivates a security-conscious culture within your organization.