Everyone vs. cyber threats: going beyond awareness with the 3Cs for security behaviors

In brief:

• Despite the tremendous resources invested in raising awareness of cyber threats, the ‘human firewall’ seems to be far from up and running.
• Consciousness—also known as awareness of individuals—remains both the foundation and the starting point of secure behaviors.
• To achieve behavioral change, organizations must go beyond awareness and equip their people with the right level of competence to practice security behaviors and counter cyber threats.
• Finally, culture derives from and affects behaviors at the same time—it takes ongoing effort to ensure change sticks and is absorbed into culture.

Consider, for a moment, your organization’s expenditure on cybersecurity programs last year. You may have leadership sponsoring and a top-notch cybersecurity team in place helping these programs, but can you confidently say your organization is resilient to cyber threats?

Unfortunately, in most cases, the answer is NO. Out of the organizations we surveyed, only 17 percent achieved high-performing cyber resilience. By looking at what they have done differently than peer companies, especially from a people and behavior perspective, we have found that they have worked on three Cs instead of awareness only—Consciousness, Competence, and Culture.

As part of our advocacy for European Cybersecurity Month, we’re writing a three-part series that examines the pillars of building a cyber-resilient organization. This article is the final one in the series.

1. Leadership & culture: the cornerstones of cybersecurity.
2. A future-ready cybersecurity workforce.
3. Adoption of secure behaviors and accountability.

<<< Start >>>

<<< End >>>

Nurturing security behaviors to build cyber resilience

Between 2012 and 2020, the global valuation of the cybersecurity market has increased from $88 billion to over $173 billion. It is expected to cross the $200 billion mark by 2022. While this exorbitant 130 percent increase in global valuation makes business processes around the world more secure, it seems it’s still not enough to stop determined cybercriminals from breaking the defense of organizations and mining filthy gold out of their data or sabotaging their operations.

A conservative estimate reported over 8 billion customer records have been accessed by hackers in 2019 alone. The financial repercussions of these breaches are forecasted to amount to at least $6 trillion annually by 2021. 60 percent of the attacks can directly be attributed to human errors, underscoring the importance of proactively involving your employees in your cybersecurity journey. The inability to do so has raised concerns among CISOs, 76 percent of whom consider employee mistakes to be a significant threat to their cybersecurity.

According to SurveyMonkey research, 1 in 3 employees admitted to sharing the password to their work computer with others. Clearly, these fears are not unfounded. Your employees will always be your last line of defense against cyber threats. Are you comfortable staking the future of your organization and the livelihood of your stakeholders on such behaviors? Have your efforts converted your workforce into a human firewall against cyberattacks?

<<< Start >>>

<<< End >>>

We believe that organizations must recognize that awareness-based campaigns alone are not enough to instill the necessary cyber-resilient behaviors. Your organization must approach cyber resilience as a long-term and ongoing goal that requires people to not only be conscious of the issue but also be competent at handling it, so it can gradually become a key value in your corporate culture.

It (still) starts with consciousness

To be clear: communication is an effective tool to increase the visibility of the challenges pertaining to cybersecurity and the implications of not practicing appropriate cyber hygiene. Your cybersecurity posture is upheld by every employee, so making them conscious of how their daily activities could either contribute to vulnerabilities or protect their stakeholders is an essential first step.

Our experiences with various organizations’ security programs delineate certain processes as predictors of successful consciousness campaigns. First, you must position your cybersecurity program in a way that resonates with the values of your business and employees. Highlighting the implications of cyberattacks on your key stakeholders is an efficient method to increase the salience of the issue. Engaging your business leaders with this vision will significantly improve the chances of sustained success. They are powerful allies and can help clear mental hurdles present in the workforce by setting a shining example to follow.

Lastly, you must understand how your people consume information and how they are linked with cyber resilience in their daily work and life. Relevance is key to the effectiveness of communications.

<<< Start >>>

<<< End >>>

A major utility company wanted to holistically address the people, process and technology aspects of cybersecurity to transform the organization. They launched a three-tiered communications plan tailored to different groups of stakeholders, which succeeded in convincing 50% more people to read the material within seven months. To support these efforts, they began building a cybersecurity brand that resonated with their business and employees. They also started engaging leadership immediately in order to establish a shared vision and ensure continuous sponsorship.

<<< Start >>>

<<< End >>>

Other good practices include having a one-stop portal for all your cybersecurity campaigns and measuring awareness of potential cyber threats against the baseline to dynamically evaluate and adjust your performance. However, it is important to remember that consciousness is not the end goal but just a prerequisite to behavioral change.

<<< Start >>>

<<< End >>>

Promoting and reinforcing cyber-competence

The majority of the CISOs surveyed shared the belief that most cybersecurity campaigns fail because of their over-reliance on fear. Sensationalistic campaigns will certainly make your employees conscious of the cyber threat landscape, but fear alone does not equal cyber-competence. You must simultaneously show employees how to navigate this landscape with the tools available to them. The goal is not simply to instill a deep fear of cyber threats, but to promote good behaviors and inspire the confidence that contributes to cyber resilience. And to do that, organizations will first need to define the desired behaviors of a resilient workforce.

<<< Start >>>

<<< End >>>

A multinational company identified behaviors relevant to different groups of people based on distinct characteristics and that contributed a lot to their excellent anti-phishing campaign outcomes. Based on their own way of working, the desired behaviors look different. That’s why human-centered design can be important to establish necessary competencies among people.

<<< Start >>>

<<< End >>>

Some employees might lack the practical and everyday insights necessary to anchor cybersecurity in their routines, while others might lack skills—or confidence in the tools available to them. Whatever the case might be, you actualize change by addressing the unique concerns of different groups.

<<< Start >>>

<<< End >>>

At Accenture, our security and human resources teams work together to combine the best of content and design. By developing gamified, narrative, and bite-sized learning nuggets accessible across devices, they provide employees simple ways of reinforcing and testing their cyber-competence. As a result, nearly all our locations have reached more than 85 percent of their completion goals.

<<< Start >>>

<<< End >>>

Helping your talent exercise their cybersecurity skills makes them more competent. Beyond mandatory cybersecurity training, organizations can also provide voluntary deep dives, the completion of which rewards them with special badges they can then proudly display on their intranet profiles. Through such programs, it is possible that you will find active allies who can help champion cyber resilience among their colleagues and challenge them to become cyber-competent as well. That leads to the cultivation of the security culture.

<<< Start >>>

<<< End >>>

Cultivating a cyber-resilient culture

An amazing communication campaign and training program may create considerable buzz and make people start to try new behaviors, but making sure your people remain conscious and competent is an entirely different matter. Memory tends to fade quickly, and best practices tend to fade with it—unless you invest in long-term change by taking steps to integrate cybersecurity into your organizational culture. Ambassador programs, cyber simulations, and nudging are all effective longitudinal methods to develop a mindset of cyber-vigilance.

<<< Start >>>

<<< End >>>

A multinational company designed and implemented a long-term exercise of email-based phishing campaigns combining general and targeted campaigns (for specific groups of people). They tracked the effect of cybersecurity programs throughout the organization and identified users and teams that were especially susceptible to cyberattacks, helping them better allocate their resources to raise consciousness and competence.

This integrated effort significantly improved phishing reporting rates and reduced click rates. Once consolidated as an ongoing setup, cybersecurity culture takes root and blooms, helping more and more people get used to good habits and become more vigilant through repeated exercises.

<<< Start >>>

<<< End >>>

Recurring events, such as festivals, hackathons, and cybersecurity micro-challenges, can be effective as well. However, all your programs must be part of a long-term and integrated framework to address and elevate the cyber resilience of every area in your organization. Only through the routinization and normalization of cyber-secure behavior will your resilience see stable improvement. After all, good behaviors take very long to learn—and only a moment of inattention to ‘forget’.

<<< Start >>>

<<< End >>>

Furthermore, these security values are nothing new. Resources and chemical companies have successfully embedded safety as a cultural element into their DNA to reduce the number of safety incidents. They started by focusing on safety, and later health and environment. They launch broad campaigns but with clear targets of high-risk activities in mind first. They measure the results, make them visible, and link them to key performances in order to create more impact on day-to-day behaviors.

Over time, they have cultivated a culture where people are encouraged to speak up or point the risks out to each other, such as on the oil platforms where lives and the planet are at stake. When it comes to cybersecurity, we can certainly draw lessons from them and save lives and livelihoods.

Consciousness, Competence, and Culture are the 3 Cs that help build up and reinforce the 'human firewall' in modern organizations. By developing and deploying consistent programs that are co-created with and tailored to every department, team, and role, you will be able to target each part of your workforce effectively, cementing cyber resilience as a cornerstone of your culture.

If you enjoyed reading about the importance of cybersecurity awareness and behavior, you might like to further your knowledge with our other articles on activating leadership and upgrading your cybersecurity workforce.

<<< Start >>>

<<< End >>>

The authors wish to give special thanks to Vinu Kumar who helped a lot in making this article as well as to Helen Schedeler and Maurits van Heusden who initiated this series. They also want to thank Channon Tian, Jasper van Gelderen, Koen Putman, Lisa Kuo, and Marshal Luusa for their contribution.