There are a few things we just wont stand for in 2020 but first on the list is the phrase, employees are the weakest link in cyber security. Its a saying that people really should have ditched in 2019.

You can probably guess that since Im writing this, unfortunately, most people havent. Online and even among cyber security professionals, its still a common thought process.

Whats wrong with believing employees are the weak point?, you might ask. Given the ever-increasing frequency data breaches with human error often being either a cause or catalyst in the majority of cases youd be forgiven for thinking that employees are naturally at fault.

But theyre not and there are a few logical reasons why.

Firstly, framing the conversation like this doesnt get us anywhere. Are football players to blame when they lose a match? Well, in a way, but the players are also to blame when they win. And even when they do lose, telling them that theyre the problem is only going to demoralize and lead to further losses.

[Read: Digital transformation projects dont fail because of a shortage of tech]

Secondly, if blame has to lie somewhere, it surely lies with the security awareness programs rather than the employees who rely on those programs to better protect themselves. The reason that human-error breaches continue to occur at such at rate is that and lets be honest here security awareness training in its current form just doesnt work.

Training doesnt work because, in most cases, it focuses solely on awareness. Awareness is all well and good, but increased awareness by itself is not what necessarily matters. Just because people are aware of cyber risks doesnt mean that, in the real world, they will behave in a more secure way.

To reduce human cyber risk, security awareness training a rather misleading moniker when you think about it must go beyond raising awareness. It needs to focus on also changing behavior and building a culture of security simultaneously. Collectively, you can think of this as ABC.

Doing so creates a virtuous circle in which improvements in one area flow into the next. Raising awareness lays the foundation for changes in behavior. Secure behaviors nurture a culture of security. And, completing the circle, a culture of security advances awareness.

How do businesses improve behavior and, in turn, begin to develop a positive culture? While theres no short answer, the first step for any business new to the principle of ABC is to try to understand the origins of undesirable behavior. One of the most useful questions to tackle early on is, Why are my people not complying with security policies?

When businesses begin to probe why, they tend to find that motivation, or rather lack of it, is at the root. Staff are failing to take security on-board as part of their everyday job: They dont see it as a serious issue; they dont see it as their responsibility; they dont see it as something they have much control over; or a combination of the above.

More often than not, businesses also discover that the relationship between security and staff has become strained. In extreme cases, its become adversarial. Security is seen as an inconvenience, an annoyance, as something that exists just to get in the way.

Businesses will likely need to address both before significant improvements are seen. Making cyber security more personalized and relatable to staff, gamification, bringing leaders on-board, and getting employees involved in cyber security conversations, will all go some way to boosting motivation. Meanwhile, making security policies and procedures simple ensuring that doing the right thing is the easiest thing will help to address issues of tension between security and staff.

So, if I could ask businesses to adopt two new approaches to cyber security this year, the first would be to leave behind the weakest link language. The second, to hopefully avoid a data breach in next years stocking, would be to pay more attention to behavior and culture.

By treating people as a useful and powerful security asset, and by addressing security awareness, behavior and culture in tandem, businesses can bring about real and tangible reductions in their human cyber risk.

Published March 10, 2020 06:00 UTC

See the article here:
Stop saying employees are the weakest link in cybersecurity - The Next Web