- Behaviour change
- 12 min read
In today’s article we will run through:
The interconnectedness of business networks has created a vast surface area of attack that cybercriminals can exploit to gain access to sensitive information, steal intellectual property, and disrupt business operations.
Adoption of technologies such as smart phones, cloud applications, and more IoT (Internet of Things) devices, by organisations has increased the attack surface and potential for threat actors. In the modern age, every employee is a potential weak point that an attacker could target.
Technical skills required to be a threat actor have decreased, as malware and ransomware tools have become commoditised and available as a service on black market channels and the dark web. Furthermore, with AI-based tools making it easier to churn out targeted and visually legitimate phishing campaigns, we are seeing a massive increase in the rates of cybercrime, across all sectors.
All of these factors combined are lowering the barriers for cybercriminals to enter the market and increasing the potential pay-off. As a result, it is not surprising we frequently see breaches make daily headlines and the scale of these attacks getting bigger and bigger.
The responsibility for ensuring that businesses are protected from cyber-attacks falls on C-level executives.
The damage caused by cyber-attacks to businesses can be severe, both economically and in terms of reputation. IBM’s ‘Cost of a Data Breach Report 2022’ reveals that costs of a cyber attack have reached an all-time high, with an average cost of $4.35 million in 2022. This figure represents a 2.6% increase from 2021. To put it into perspective, the average cost of a breach has climbed 12.7% from $3.86 million in 2020. These costs include expenses such as lost productivity, remediation, legal fees, and reputational damage. The report also found that 83% of organisations have had more than one breach.
The reputational damage caused by a cyber-attack can be even more severe than the economic damage. Customers are becoming increasingly aware of the risks associated with data breaches, and businesses that are seen as not taking cybersecurity seriously risk losing their customers' trust. A recent Forbes Insight report found that 46% of organisations had suffered reputational damage because of a data breach and 19% of organisations suffered reputation and brand damage because of a third-party security breach. Additionally, Ponemon Institute’s "The Aftermath of a Mega Data Breach: Consumer Sentiment," revealed that data breaches are up there with poor customer service and environmental disasters in terms of impacting brand reputation for consumers.
After Target suffered a massive breach in 2013, Varonis ran a long-term six-year study on Target’s consumer perception. They found that Target’s consumer perception took a 54.6% dip the year following the data breach but through external brand loyalty initiatives and a massive focus on internal cybersecurity campaigns, Target has managed to rebuild its reputation – but not after significant stress and cash loss.
Customers are also acutely aware of organisations that try to mask the ramifications of a cyber breach by passing the buck through increased prices. Unfortunately, IBM’s report also reveals that 60% of organisations’ breaches led to increases in prices passed on to customers.
The concept of liability for breaches has changed. Following the Target breach, both the CIO and CEO exited the company with the security incident appearing to have been a contributing factor. Since the breach, the retailer has also faced a Congressional investigation, lawsuit from the financial sector, stock market dips, and has failed to meet its revenue expectations.
Board members and C-level executives are responsible for overseeing the protection of their organisations from cyber threats. As such, they are viewed by the public as digital stewards and are held accountable for any cyber-attacks that occur. The public perception of board members as digital stewards highlights the importance of taking cybersecurity seriously. Businesses that fail to protect themselves from cyber-attacks risk losing the trust of their customers, investors, and other stakeholders.
Target has demonstrated that being breached is not just a security risk, it is a risk for the business, and needs to be taken seriously at the executive level.
Many businesses focus solely on being compliant with cybersecurity regulations, but compliance alone does not guarantee protection from cyber-attacks. Compliance frameworks such as GDPR and HIPAA set minimum standards for cybersecurity, but the key word here is ‘minimum.’ Businesses need to go beyond these standards to ensure they are adequately protected.
On top of this, official regulations and policies can be painfully slow to update and can take time before they accurately reflect the threat landscape. If your organisation is taking an active approach in your security culture, you remove yourself from having to just rely on official guidance and protocols.
CSO Online, cited here by Varonis, revealed that for 66% of companies, compliance mandates drive spending. This approach to cybersecurity is blinkered and can leave businesses vulnerable to cyber attacks that fall outside the scope of compliance frameworks. Businesses need to focus on implementing up-to-date policies and training programs to protect themselves from cyber attacks. Policies such as password management, access control, and incident response plans need to be regularly reviewed and updated to ensure they remain effective. Employees also need to be trained regularly on cybersecurity best practices to reduce the risk of human error.
Cybersecurity should be a mainstream concern for all employees within an organisation, not just the IT department. Businesses need to ensure that cybersecurity is integrated into all areas of the organisation, from HR to finance to marketing to on-premises security. This includes training employees on cybersecurity best practices, implementing cybersecurity policies and procedures, and regularly reviewing and updating these policies to ensure they remain effective.
Cybersecurity and employee security behaviours should also be a consideration when developing new work products or services. Businesses need to ensure that cybersecurity and behaviour concerns are built in from the start, rather than being an afterthought.
Controlling and training employee cybersecurity behaviours is a vital component of minimising business risk. Employees are vulnerable to social engineering attacks, phishing emails, ransomware attacks, and even dabble in insider attacks.
According to a Ponemon’s ‘2022 Cost of Insider Threats: Global Report’, insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third to $15.38 million. Comparitech reveals worrying metrics such as 14% of workers in the UK do not lock their smartphones despite holding personal and professional data, 50% of workers share access to an employee-issued device with family and friends and that out of a survey of 868 hacking-related breaches, 80 percent involved poor password creation and security. These statistics and reports highlight the importance of ensuring that all employees are aware of cybersecurity risks and know how to protect themselves and the organisation.
Training employees on cybersecurity best practices such as strong passwords, identifying phishing emails, and reporting security incidents can help prevent cyber threats from penetrating an organisation's network. Additionally, organisations should implement security awareness programs that educate employees about the importance of cybersecurity and the potential risks associated with cyber threats. Training and awareness materials should also be tailored to the individual in both tone and focus for maximum engagement and impact. For example, your main reception secretaries may need material on premises cybersecurity, whilst your marketers need a GDPR focus. You must remember that employees will all learn differently; For more on this, take a look at 26 and under: How do you engage them in cybersecurity training? & Are you considering Gen Z?).
Businesses can also use technology to control employee cybersecurity behaviours, such as implementing multi-factor authentication, email filters, and web filters. However, technology should not be relied on solely to control employee cybersecurity behaviours.
When all employees are aware of cybersecurity risks and know how to protect themselves and the organisation, the business is better protected against cyber-attacks. C-level executives can lead by example and demonstrate their commitment to cybersecurity by attending training sessions and promoting cybersecurity best practices within the organisation.
Businesses need to expand their cybersecurity focus beyond just technology and place the business, and risks to it, at the centre of its decision making. Cybersecurity is not just an IT issue, but a business issue that needs to be considered in all areas of the organisation.
In conclusion, cybersecurity, employee behaviour, and security culture are C-level executive issues because they can influence business risk levels. Cyber-attacks can cause severe economic and reputational damage to businesses, and board members are held accountable for any breaches that occur.
The Social Learning Theory suggests that individuals learn by observing the behaviour of others. Therefore, CEOs can promote positive security behaviours by setting an example at leadership level.
The Theory of Planned Behaviour suggests that attitudes, subjective norms, and perceived behavioural control, ultimately influences workplace behaviour. Therefore, organisations can promote positive security behaviours by communicating the importance of cybersecurity, setting clear expectations, and providing the necessary resources to employees.
No one can truly be cyber attack resistant, but if C-level executives and every employee in your company prepare to ensure that secure behaviours are followed and cybersecurity protocols and responses goes beyond baseline compliance, your organisation can significantly minimise business risk.
If you would like more information about how The Security Company can help you to engage board members and C-suite executives with cyber security ... or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact Jenny Mandley.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51