How to encourage effective cybersecurity behaviour changes in the workplace

Behaviour change in cybersecurity is paramount to building a strong security culture in any organisation. It cannot be seen as a one and done project to be truly effective, as continued and targeted behavioural training and development produces the best results. 

When employees are only given infrequent training, once or twice a year, you are dumping a lot of technical information on them regarding cybersecurity threats. This is proven to be ineffective as without frequent practice, employees will not retain how to deal with a potential breach or attack.  

Behaviour change, when used in conjunction with training, is a proven way to minimise employee cyber risks whilst also refreshing and fortifying the strength of your organisation’s overall security. It is fine being a compliant organisation, but without true behaviour change, are you truly strengthening your security practices? 

Introduction: how behaviour change is different to increasing awareness 

Behaviour change refers to the development and transformation of human behaviour. Human behaviour is made of conscious and subconscious, as well as voluntary and involuntary actions. If you can get a hold of behaviour and mould it to your specifications, you can transform your security culture.  

So, how do you encourage behaviour change? Running and maintaining frequent threat-related tests/activities, such as phishing games, gives users hands-on experience with cyber threats and gives them a practical chance to spot dangers and report them. Often, organisations do not put enough stock in the human aspect of cybersecurity even as we see an increase in social engineering attacks, which are becoming increasingly sophisticated. 

When you install an employee-first cybersecurity training program, you not only change people’s behaviours, you also minimise the risk to your company. If you just focus on awareness training, you are not creating new habits. You are dumping information that you hope your employees will engage with and retain. When paired with practical training and efforts to change behaviour you can decrease the risk of human error.  

Today, we will be looking at why behaviour change should be at the top of every organisation’s security agenda and how one can apply different tools, programs, and tactics to encourage effective cybersecurity behaviour change.  

What can behaviour change do for your employees? 

Behaviour change provides employees with the knowledge, skills, and practice to do the right thing in the case of an attack or breach … effectively. If you have supplied training, employees may know the rules but not action them. By changing their security behaviours, you change the way they will act in that moment to better fit safer practices.  

With behavioural change, you can cut out skill-based errors, decision-based errors, and knowledge-based errors all in one go. Employees represent the biggest possible attack surface for your organisation. So, the more employees you have, the bigger your risk potential is. If every single employee is not getting frequent practical training, it only takes one underdeveloped individual to pose a massive vulnerability for your organisation.  

Subscribing to employee-focused training, which uses behaviour science and activities to teach people about social engineering attacks is a proven way to reduce risk. It is also a great way to measure the progress of development in an organisation to see if any gaps in security remain. You can then feed this back into developing your security program moving forward – because cybersecurity awareness is ongoing and needs to be frequent.  

Stop social engineering attacks with behaviour change 

No matter how engaging and comprehensive your security training may be, people still make errors and fall victim to phishing if their core behaviours have not changed. Social engineering attacks are getting craftier, using fear or the guise of a trusted authority figure to trick employees into a breach. 

Without behavioural change and frequent social engineering attack updates and refresher courses/tools, people will move security behaviours into subconscious activity, opening the possibility of a mistake or error. That is why we need to not only teach employees how to spot online dangers but keep these protocols always frequent and accessible. We want employees to make conscious and informed decisions rather than incorrect subconscious ones. 

How does behaviour change start? 

The first move in any behaviour change program is to understand an organisation’s employees; how do they behave? What do they consider important? What learning do they digest? And what motivates them? TSC’s SABR (Security Awareness and Behaviour Research) tool uses a comprehensive questionnaire to assess all the above in an organisation’s security culture and more. SABR can assess the strength of a cohort’s security awareness, if there are any potential gaps and how best to plug those gaps. 

What tactics do you need to incorporate into your behaviour change program? 

There is no one universal way to incite behaviour change in an organisation as each organisation is different, from industry-type to employee structure. However, there are tactics that should be present in all behaviour change programs. We will run through some below: 

1. Authority: Employees are far more likely to retain information and hold it in high regard if it is coming from an authority figure or from a proven security professional. How are you delivering your security messages? 

2. Incentivisation: Everyone loves an incentive! Yes, the goal of behaviour change is to protect organisational data but to get employees invested in this goal, you could opt for personal incentives.  

3. Championing: Another ideal/tactic to install is security champions. If you build a culture in which right and proper security practices are continuously rewarded and lauded, you constantly encourage every employee to act in a socially acceptable manner.  

4. Targeting: Sometimes organisations find it difficult to incite behaviour change because they are using just one method of training. Every single individual learns and retains information differently. Whether this be because of personality, age, or demographic, you must consider a holistic program to cover all bases. 

5. Commitment: If your security program is built on guidance and a hands-off approach, you should not be surprised if a breach occurs. When employees promise to do something, they will do it! Getting employees to commit is a big aspect of behaviour change.  

These five fundamentals need to be considered for every behaviour change program as they not only ensure information is taken seriously (authority and incentivisation), they also put the ownness on the employees (championing, targeting and commitment) – which means they must take security measures seriously. 

What does a behaviour change program look like? 

At TSC we assess each organisation’s security culture individually and, as a result, address deficiencies specifically. However, there are fundamentals when putting together a behaviour change program.  

1. Identify Risks: Using questionnaires, interviews, workshops, and other consultancy practices, we need to identify the biggest cyber security risks to an organisation. For example, in this stage, you may find that ‘phishing,’ ‘ransomware’ or ‘password security’ is the biggest threat to your security. 

2. Identify risky behaviours: Once you have pinpointed the risks, you need to map out the behaviours that are causing them. If your risk is ‘password security,’ the risky behaviours causing weak password culture may be ‘lax password management’ or ‘writing down passwords physically.’ 

3. Measure security behaviours: You can then measure the behaviours and log users/departments that are causing them. You can use simulations, audits, or team activities to see what the current behaviour level is. This will then help you identify the behaviours you need to train out.  

4. Track and Refresh: As mentioned above, behaviour change is ongoing. You need to now track security behaviours, keep an eye on repeat offenders and update your training to reflect the risky behaviours you are now seeing.  

Conclusion 

When you build your security culture around improving overall behaviour, you are elevating yourself above simply raising awareness. With behaviour change, you are reducing risk through a continuous and engaging process. This is because by reflecting on actions and employee nature, you can design a better and constantly relevant security program.  

Building cybersecurity awareness, especially in relation to new and emerging threats, is the backbone of TSC’s offering. No matter the attack service or platform, TSC’s service will ensure your employees are aware and knowledgeable of the threats they will come across.

If you would like more information about how The Security Company can support you to minimise the risks your organisation is facing, please contact Jenny Mandley.