Security Think Tank: In 2023, we need a new way to cultivate better habits
How are those New Year’s resolutions working out for you? With 2023 now well underway, many of your best intentions for the year may have already been adjusted, deferred or abandoned entirely. You’re only human, after all.
It’s often the same with employee cyber security training. At many organisations, staff are required to complete a training course once or twice a year. The content is typically very corporate, and the narration is relatively generic. These sessions will typically cover a lot of ground in a short period, explaining common cyber security risks, presenting corporate policies and highlighting best practices for keeping data and systems safe.
If the session is well-designed, if it’s delivered engagingly, and if employees give it their full attention — and that’s a lot of ‘ifs’ already — then participants may leave with the best of intentions to put their new-found knowledge to use. But soon, the pressures of working life or good old-fashioned forgetfulness kick in, scuppering their resolve. They quickly slip into the same old bad habits, paying less attention as they work fast, trying to do three things at once, consequently becoming more susceptible to social engineering attempts.
That’s why I think that, in 2023, we need to go much further than just periodic online cyber security training if we are going to help our workforce get out in front of the bad guys. We need a newer, better approach.
With this in mind, I recently revisited Atomic Habits by James Clear, a number one New York Times bestseller with 10 million copies sold worldwide. In his book, the author argues that real transformation comes from the compound effect of making regular small changes to behaviour. He calls these ‘atomic habits’.
As a CISO, I see how this approach could work well with corporate cyber security. Of course, periodic training sessions may still have their place, but a culture of cyber awareness can only flourish when employees are encouraged to keep on track and adhere to best practices through regular, timely nudges in the right direction.
So what might this look like? For me, it’s about embedding security reminders, alerts and training into day-to-day work activities. After all, when you use Google Docs or Microsoft Word, you get content suggestions as well as spelling and grammar prompts. When you use email, you are alerted to messages that may be spam or contain suspicious links.
This approach could go much further. Many SaaS products already have such prompts and protections; users may receive a pop-up explaining why they are blocked from completing a particular request or be prompted to confirm their identity with an additional verification method to perform a particular task.
As CISOs, we should hold our key software vendors accountable for embedding this capability into their products. At the same time, we should ensure that applications and services built-in house offer similar levels of protection and employee education.
At the same time, we need to up our game when it comes to incident monitoring so that security events, however small, become learning opportunities for employees. For example, we should be able to detect risky behaviours, such as uploading sensitive files to unauthorised devices, connecting to unsecured Wi-Fi networks, or using unsanctioned cloud applications for storing corporate documents. In each situation, our approach should alert the employee to their actions and help them understand their behaviour’s risks: ‘This is why what you’re doing is unsafe, and this is how you should proceed instead.’
And with the proper analysis and reporting approaches, we can also use data on careless or accidental behaviours to assess the effectiveness of our security controls, identify areas for improvement and embed new learning opportunities at the optimum points of any workflow to keep employees on track.
The elegance of this approach is that it has the potential to target undesirable habits and correct them before any real damage gets done. It keeps the need for cyber awareness fresh in employees’ minds in a way that periodic learning does not. And reminders could be targeted at the employees who need it the most, delivering adjustments and reminders when bad habits are observed and continuing to do so until their behaviour changes.
It’s a big step up from periodically delivering the basics to employees, many of whom may already be up-to-speed on the information being delivered. Other employees may be able to achieve a basic level of knowledge through these sessions — but the chances are that they won’t be able to maintain it.
Regular small nudges in the right direction are a better way to set the right tone when it comes to cyber awareness: security best practices are not a burden intended to slow work down but are part of each employee’s responsibility to keep organisational data and systems safe.