Cybersecurity failures can happen to any company and anyone. But tactics that fight human nature increase the chances of failure. The best defense strategies meet employees where they are, measure outcomes, and update accordingly.
For beleaguered IT and security leaders, there’s some comfort in knowing that even the biggest and best companies fall prey to various hacking and data security attacks. But it’s a very fleeting sense of comfort that quickly fades to uncertainty. Microsoft, Facebook, LinkedIn, Twitter are just a few of the many companies impacted by significant security breaches. If it can happen to them, it can happen to any organization.
Every breach has a root cause. And despite the significant investments made in security-related technologies to prevent breaches, the root cause is less likely to be lack of such systems than it is to be people-related. People represent the greatest risk to data security for any organization—employees to be more precise.
And because employees represent up to 85% of data breach risk, it’s critically important for us all to understand how to work with—not against—human nature to build a strong security culture.
The core question then becomes: what are you doing to equip your employees to be effective agents from a security standpoint?
Putting a Focus on Human Nature
Here’s the thing – and it’s a point I emphasize every time I make a presentation or work with a security leader: If you try to work against human nature, you will fail. We humans are wired in very specific ways. And part of that wiring makes us averse to doing things that we feel are difficult, or awkward, or that require change.
Just giving people good security tools isn’t the answer. I’m sure that each of the companies mentioned earlier all gave their employees plenty of good security information. They were still breached.
Human behavior matters. Organizations need to understand how they can leverage some simple principles of human nature to help employees to habitually understand, care about and practice good security hygiene.
If your goal is to change the hearts, minds, beliefs, instincts, and behaviors of employees to join voluntarily in your efforts to protect your data and systems (and we’re sure it is), then you need to think broadly and incorporate practices from fields proven to impact human behavior: practices in the fields of marketing, public relations, communication theory, behavior, desire, culture management, and more.
Gain Clarity Around the Behaviors You Want to Encourage or Discourage
Changing human nature requires an absolutely clear understanding of exactly what behaviors you wish to change. Simply saying that you want to “build a strong security culture” won’t cut it. It doesn’t provide the clarity needed to help you begin to change actual behaviors. Instead, get clear on the exact behaviors you want people to do. Start by asking questions like these:
- What precise behaviors, if adopted, would provide the most security benefits for your organization?
- Is this a group of behaviors, or is this a single behavior?
- Is this a behavior that you have the appetite to take on right now?
- Is this a behavior that can be modeled and rewarded when observed?
Once you have clarity around the behaviors you wish to change, you need to think about whose behavior you wish to change and then take steps to understand these people so you can get the right message to the right person at the right time.
Get the Right Message to the Right Person at the Right Time
Everyone in your organization doesn’t need to receive the same messages at the same time. And yet, that’s what we tend to do when we communicate about security (and other) issues. We create an organization-wide memo, training session or policy and send it out to everyone. And then we consider our job done. Far from it.
Effective communication – communication that will actually impact human behavior – requires us to segment our audience, understand each of these segments (often accomplished through the creation of personas) and identify the appropriate communication channels for each of those segments.
Security awareness isn’t a one and done event; at least it shouldn’t be. Effective security awareness needs to be an ongoing campaign. Yet far too many organizations take an event approach to communicating about security awareness. They do it once or twice a year. But human nature isn’t impacted by once- or twice-a-year messages. Opinions and behaviors are swayed by hearing information over and over again, in different ways. Your marketing colleagues will attest to that; in fact, they can be a great source of support for helping you understand your audience segments and creating campaigns that will resonate with them.
Track and Measure Results
Just as security awareness communication needs to be ongoing to achieve desired results, so does monitoring and measuring the impacts of communication. You will want to understand to what extent your target audiences are exposed to your messaging; to what extent they are engaged with your messaging; and to what extent they are influenced by your messaging to do (or not do) whatever it is you’re asking of them.
Effective security communication isn’t an event, it’s a process. That process needs to be repeated over and over again, with new iterations informed by the results you’re monitoring.
Again, these five steps are the broad strokes – the tip of the iceberg – when it comes to changing human behavior and shaping culture. But these broad steps should give you an idea of the framework within which you will develop and implement specific strategies and tactics, based on a solid understanding of human nature, to effect change over time.
Stop thinking that the technology fixes you have in place to protect your data systems are enough. They’re not. Just ask Microsoft, Facebook, LinkedIn, Twitter.
You need to put ‘people fixes’ in place if you want to build and maintain a strong security culture.