Skip to main content

Building the right behaviours - The importance of focusing on behaviour change in cybersecurity awareness training

(Image credit: Pixabay)

This year’s Global Security Research by Telstra suggests the greatest risk to IT security is

human error. It also highlights “awareness and formal training” as a top challenge facing most organisations in the fight against growing cyberattacks.

While businesses now increasingly recognise the strategic risk importance of cybersecurity, there is still a gap according to the FTSE 350 Cyber Governance Health Check 2019:

  • Nearly half lack understanding of the critical assets at risk
  • Only 16 per cent claim the board has a comprehensive understanding of how a cyberattack affects customers, reputation and share price
  • Nearly half haven’t agreed a cyber-risk appetite
  • Only 20 per cent of boards have carried out a cyber-crisis simulation in the past 12 months.

For organisations today, the biggest problem is the sheer scale of cyberattacks and the fact that technology is not a “silver bullet” against our own mistakes. We also all live and work in the new digital age where we live our lives online. This has opened the floodgates for cybercriminals – for example what we’re willing to share via digital platforms makes us, and our employers, even more vulnerable to attack. Therefore, our people really do have a critical role to play in our cyber-resilience.

The priority for organisations is to ensure all our employees know they have a critical role that they need to play in highlighting potential cyberthreats, such as reporting a potentially malicious email and in displaying appropriate behaviours across a range of different risk areas.

However, many organisations are not engaging or collaborating with their staff effectively in giving them the capability and confidence to understand the risks they face and respond in appropriate ways.

A recent study from Centrify confirms this. It revealed that 77 per cent of UK workers admit to never having received any form of cyber-skills training from their employer.

The survey of 2,000 full-time UK workers in professional services also found that over one quarter (27 per cent) of workers use the same password for multiple accounts, including work email and social media, putting both their personal security and that of their company at risk from hackers.

Building the right behaviours

So how can we take our employees with us on our cyber-resilience journeys? Firstly, managers clearly have a responsibility to help their teams develop their know-how and to give them the confidence to discuss cyber-risks openly and to be able to act upon it. Equally, they should be setting the right tone through their own vigilance and resilient behaviours.

This begins by acknowledging mistakes will happen and it’s essential our people are not afraid to share any information that could highlight potential threats or when they believe they’ve done something wrong.

High risk industries understand the importance of this: they encourage a culture in which you report a failure because the implications of not doing can be so huge. 

So, what approach to training and development can organisations adopt to help address the growing cyberthreat? The method that so many continue to rely on typically involves annual, one-off presentations or online training – this may ‘tick the compliance box’ but it will have no impact on behaviours and will not guarantee security.

The business and operational risks are too high to treat cyberawareness training as just another course. Instead, people need to be actively engaged in an ongoing journey to understand what and where the vulnerabilities are and how they can help and be involved in better protecting themselves and the organisations they work for from an attack.

Embedding cyber-resilience capability and culture

Principles developed by the UK’s National Cyber Security Centre (NCSC) that draw on some of the security engagement research produced by Royal Holloway’ Information Security Group (ISG) highlight the need for context when helping staff improve cyber-resilience behaviours. Professor Lizzie Coles-Kemp from the ISG said: “What are the employee stresses, challenges and drivers when using technology? Only when you’ve answered this is it meaningful to embed security measures within that context.”

She added: “In practical terms, this means thinking about contextualising security policies, advice and guidance to ensure people can relate more to the messages delivered. This also builds a much more positive culture based on trust and the benefits of good cybersecurity behaviours.”

In developing and managing GCHQ-certified cyber-awareness training we have acknowledged the NCSC work in applying six core principles that I believe can make it more successful in developing and sustaining behaviour change:

  • Keep it personal: use stories and real-life scenario-based training that give your people information they can relate to and which is of real value both at home and in the workplace.
  • Keep it simple: demystify the complex language of information security by using plain English so that everyone can understand and play their part in adapting and evolving the training that’s provided. 
  • Keep it regular: combine creative offline and online communication techniques to reinforce correct behaviours and memory retention – short and engaging online refreshers and reminders, offline surveys, competitions and discussion forums all help to underpin a secure culture.
  • Keep it relevant: align your training with your employees’ jobs and daily tasks as much as you can to make it as relevant as possible and use diagnostic tests to identify common gaps in understanding across your workforce while not forcing individuals to take training they don’t need to.
  • Keep it immersive: use maturing techniques like gamification and other immersive training that build engagement, creativity and confidence in your people.
  • Finally, and most importantly, keep listening and talking with your employees – they will be your best advisers, telling you what works and what doesn’t work for them. The success of your cyber-awareness training will depend on your collaboration with your own people.

Maturing cyber-resilience for the long term

Like driving a car, people need to develop an “unconscious competence” where the right behaviours become natural. In turn, management needs to be accountable for this by continually reviewing the level of cyber-resilience and digital skills across their workforce and increasingly across their wider critical supplier ecosystem.

Ultimately, this is about effective risk management and recognising that treating cyber-risk preparedness as “job done” is not possible. Cybercriminals are constantly changing their tactics. The mature organisations are maintaining an ongoing vigilance; building the skills to ensure that people become their greatest defence against pervasive cyberattack.

Give your people the freedom and the opportunity and they will give you new ideas and techniques that will help you move beyond simple awareness to getting real advocacy and behaviour change.

Nick Wilding, General Manager of Cyber Resilience, AXELOS

Nick Wilding
Nick is General Manager, Cyber Resilience at AXELOS Global Best Practice. He has been working at the sharp end of cyber security since 2003 and is a regular speaker on the subject internationally and on UK television and radio. Nick welcomes discussions with organisations about improving their employees’ cyber resilience behaviours.