Cyber-Risk Audits Reveal Companies’ Biggest Vulnerability Is Their People
By Peter Schablik
As the spate of cybersecurity breaches garners greater attention, organizations have made enormous strides in curbing such incidents.
Driven by Board liability, the need to monitor third-party vendor risk, the requirement to obtain and maintain cyber insurance, and GDPR and SOC 2 certification, companies have stepped up to ensure cybersecurity. But, in spite of these steps, companies are still failing risk audits to an alarming degree. Statistics show that in most instances, people are at the root of the problem. To address it, companies must conduct risk audits that assess their “people” risk.
Cybersecurity failure points to people
How massive is the people factor? In a report issued by Verizon, a survey of close to 41,000 security incidents showed more than 2,000 breaches, all of which were people-related, with email being the most prevalent point of entry. The statistics are astounding: 52% of the breaches featured hacking, 33% involved social attacks; 32% involved phishing; and 28% used malware. But most significant is that 28% of all breaches could be traced directly to company insiders.
How can this be? One reason is that companies often take a silo approach, assigning the cybersecurity function to a particular group or team, rather than building it into corporate policy, with action driven and modeled by those at the top of the organization. Another cause is that companies make the digital transformation process a top priority, ignoring the cybersecurity threat until after system upgrades are complete, which leaves the door open for people-related problems to develop. But more important is inadequate cybersecurity training that fails to prepare employees to make the right decisions when an incident occurs.
A two-pronged challenge
The lack of effective cybersecurity training is where companies are faltering most. It’s not for lack of effort. Most organizations (86%) either have or are building a cyber-threat program. Of these, 36% have a program that can respond to insider attacks, and another 50% are creating one.
Despite these impressive statistics, 53% of companies admitted to having cyber-attacks in 2018 (the latest data available). And an even greater number, 90%, still feel exposed. And with good reason.
The average cost of a data breach runs close to $4 million (other estimates are as high as $8 million) and requires nearly a year to identify and resolve. So, something isn’t working: Employees are undergoing training, but they are not learning—they are not cyber prepared.
Companies also struggle with implementation risk. That’s because their internal resources may be stretched. Industry experts assert that it takes two full-time employees (FTEs) to implement a cybersecurity training program properly. CISOs and IT people often make the training decisions, including program curriculum, choice of vendors, and testing metrics. But training may not be their primary focus.
Also, they may be burdened by demands on their time that can be a drain on internal resources, so they often default to the easiest choice such as selecting cute videos, which may not be the most effective training method.
The result: An inadequate training program that gives a false sense of security, leaving companies vulnerable to incidents and broader breaches that carry not only a financial cost, but a reputational one, too.
Traditional versus effective training programs
Learning methods are evolving, but many existing training programs do not address how people learn today. Extensive scientific research shows two things: 1) The essential components of effective training are changing, and 2) Mastering employees’ ability to learn can improve learning outcomes.
Let’s compare the structure of traditional training programs with more effective ones. Traditional programs rely on intuitive methods of learning, which create an illusion of mastery. They are recognizable by their easy techniques, rapid-fire repetition, multiple rereading, and feature mass practice of a skill and rote memorization.
Programs end with a test that requires a passing grade. But they do not work—if they did, security breaches would be a footnote, rather than a massive problem that continues to fester in corporations worldwide.
Counterintuitive learning is different, and that’s why it’s more effective. It derives from recognizing that useful learning depends not only on acquiring knowledge and skills, but also memory, so that the information can be retrieved when it is needed. It harnesses a host of techniques that are grounded in scientific research.
- Effortful learning is more durable and lasts longer. It is harder, by definition, but the results are worth it. Although many may think intellectual capacity is innate, the brain can be “stretched” to grasp new concepts to enhance learning performance and retention.
- Spaced repetition recalls key ideas at random points, rather than covering topics in serial sequence. Going back over important concepts helps the learner remember them better.
- Interleaving involves mixing multiple topics, rather than employing the building-block approach of thoroughly studying one topic before moving on to the next. Cognitive psychologists credit it with strengthening memory, among other benefits.
- Memory cues serve as mental files of what’s been learned, which allow the learner to recover them, and their associated concepts, when needed. Imagery and rhyme schemes are examples.
- Testing/self-quizzing calibrates the learner’s understanding. It involves pausing to recap key ideas and terms, how they may relate to the central concepts, and then secures them in memory.
- Mental models are a “brain app”—mental representations of an external reality that help the learner to reason, solve, and create. They can be skill or knowledge based, and serve as a guide for taking future actions.
- Mnemonics, derived from the Greek word for memory, are a type of memory cue designed to facilitate the recall of a large swath of material. An acronym is one of the more common forms, as are rhyme schemes that associate items in an extensive list.
The path forward
Cybersecurity training remains a top priority for corporate managers, but it’s a moving target: As organizations adopt new techniques to thwart breaches, hackers are always a step or two ahead. Training programs must increase in effectiveness so an organization’s people are adequately prepared to make the right decisions when a security incident occurs.
An effective program accrues bottom line benefits. Not only can it eliminate the need for additional staffing (savings on salary, employee benefits, and productivity), it can prevent millions of dollars in losses per each data breach.
Finally, an effective cybersecurity training program must employ learning methods to drive long-term, permanent behavioral change and teach employees how to adopt new cyber-safe habits. It should start with knowledge assessments, followed by state-of-the-art training methods and interactive training modules grounded in cognitive psychology and scientific principles of learning. Augmented with extensive implementation support over a one-year program, this type of training can turn employees into a human firewall to protect their organization against cyber incidents, threats, and breaches.