When we sift through all the complexity and noise that cybersecurity has become, one metric sits ominously high. Human error primarily causes somewhere between 85-95% of all breaches.
Traditionally, security teams handle this by building little cages of technological controls and restrictions around our colleagues to keep them safe and prevent them from causing any damage. Yet, time and time again, they find a way to chew through their cages in order to redeem that sweet, sweet JB-HI-FI gift certificate—or fall prey to a more sophisticated form of social engineering.
So while the controls are helping, they're not completely solving the problem, and the smartest of wizards will soon look to combine their defences with security awareness programs that equip their people with the knowledge required not to touch the fire. We do this out of pure diligence and never just for a compliance tick box, right?
Yes! Let's teach our people that their gift certificate may just be too good to be true, that 123456 is not a great password, and that any USBs found in the bathroom are best handed to the IT team rather than plugging it into the nearest laptop and hoping for something exciting to happen.
But why is the best approach to have them watch 10-minute videos of gimmicky cartoons or have a dry corporate voice actor explain the basics of cybersecurity to them? Let’s be honest, who among you doesn’t mute the video, go back to work—or YouTube—until the video ends, and then guess your way through the multiple-choice quiz?
Don’t worry, we’re not judging. It’s a method of training that doesn’t work for most people. There’s a better way to engage and educate. We can make security a natural part of everyday business and not an additional chore you have to worry about.
So, to break it down:
- Human error is the number one cause of breaches.
- Awareness training is often a repetitive, dull, and uninteresting chore to pile onto our existing workloads.
- After initial results, awareness training has diminishing returns—this is further compounded by long gaps between campaigns.
Let’s get serious, level up our security awareness, and allow it to evolve into a beautiful security culture. Our mission must be to build a healthy and sustainable cult of security throughout the business, with the long-term vision to have security become second nature for everyone. Here’s how you can take your soggy old Weetabix of a phishing awareness campaign and turn it into something magical.
Rather than throwing prescriptive training at the wall, we first need to make sure that the content is relevant and engaging
- For years, the team behind Kinsek has championed gamification as an excellent method of making learning something exciting and fun. It comes with the added bonus of providing incentives and positive reinforcement for engaging. Use it.
- Training needs to be succinct and bite-sized. Don’t bore or overload with information.
- Education needs to be tailored to the audience. Not everyone learns at the same pace.
Consistency is key
- There are interesting studies and hypotheses such as the Ebbinghaus Forgetting Curve—which ironically, I always forget—that deduce that if you give someone educational information and they don’t apply it, their memory of the information fades rapidly. Anyone can attest to the concept of continuous practice over time leading to better results.
- Small nudges are powerful—2 minutes a day is more effective than 2 hours a month or 20 hours a year.
- Ongoing effort is optimal, preferable, and has significantly higher efficacy than once-a-year initiatives or projects.
Empower and encourage
- Use positive reinforcement. The carrot is much more effective than the stick—adding additional stress and fear to the learning experience doesn’t help anyone.
- Make it hassle-free and safe for employees to report suspicious activity or phishing attempts. Even if they’ve already done something they shouldn’t have.
- Blend security and business together, as with the small nudges, security, and business should be seen, discussed, and thought of as one. Do this by integrating the two together in everyday business as usual. An example would be including a 5-minute “Hey, here’s the phishing campaigns we’re seeing come in, so just be careful” into your weekly sales or finance standups and meetings.
Security awareness levels up to become cultural and behavioural change
- It’s a journey to build a strong security culture within an organisation. As with any change, this takes time and continuous effort, but the payoff is massive.
- Don’t sacrifice long-term results and goals for short-term initiatives.
- Make sure you have visibility and can measure this journey, just like your personal trainer will tell you to write down how many reps or what weight you’ve done so you can see the gradual improvement week by week.
Whatever you do, it has to be a combination of People, Process, and Technology. For the Technology element, it’s hard to find tools that can tick all the above without becoming overly burdensome. Our secret? We’ve partnered with Hoxhunt.
Gamification is built-in and can include leaderboards, achievements, and a ranking system that motivates and engages.
AI automatically individualizes content based on risk, experience, and relevance.
Training is fast, clean, and rewarding. Nobody is forced to watch 5-minute videos filled with awful jokes and boring lectures.
Campaigns can be automated to continuously run simulations that are constantly changing, tailored, and updated without security teams needing to do everything manually.
Reports are smarter than ever, allowing us to manage risk, measure improvements, and communicate results in terms anyone can understand.
And, at last, a damn appealing, modern, and clean interface that's wonderfully intuitive. Making it easy and enjoyable for everyone to use. Brilliant UI/UX is often undervalued in corporate technology but couldn't be more relevant when you’re hoping to engage and educate.
Whatever tool you decide to use and whoever you task with pulling it together, done the right way, an effective security culture takes the pressure off your analysts and engineers who are already overworked, stretched thin, and losing hair.
But if you’d like us to take care of it for you, we're proud to announce that we can. We believe so strongly in what a security culture and behaviour program powered by Hoxhunt can do that we’ve gone and brought them all the way from Finland to Australia as their first in-region partner.
Together, Kinsek and Hoxhunt are leading the charge in helping Australian organisations manage their human risk and foster an incredible security culture that empowers their people and crafts smart, effective, and simple cyber resilience.
About the author
Samuel Tucker is an Australian based Cybersecurity Advisor committed to helping organisations create security culture, uplift awareness and build smart resilience. Samuel is the Managing Director of Kinsek, Hoxhunt’s first partner in Australia.
About Kinsek
Kinsek was founded with a clear mission: to help businesses navigate the complex world of cybersecurity. They understand that cyber threats are constantly evolving, and organisations need a partner they can trust to help them stay ahead of the game. At Kinsek, the belief is that cyber security should be accessible and achievable for all businesses, no matter the industry or size. As a cybersecurity advisory service, the company specialises in helping organisations implement industry-leading cyber security practices. Their approach focuses on security culture, people and process. They aim to empower clients to create effective cybersecurity strategies that propagate a culture of resilience.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt