Change of Employee Security Behavior goes beyond awareness — LutinX.com
Humans have been identified as the weakest link in the information security chain.
Employees make mistakes due to inherent human characteristics such as malice, envy, defiance, and carelessness. Some of the errors can lead to catastrophic consequences for sensitive data and the organization’s network infrastructure. They are the cause of numerous security incidents in organizations.
With work pressure and many unfinished tasks, persuading employees to take the organization’s security seriously is no easy task. Behavior change calls for training and going beyond the call of duty, and something few employees are willing to do. It is not a wonder that nobody cares. Take an example of convincing employees in other departments to prioritize information security tasks that they consider none of their business. Additionally, existing security awareness training programs are sporadic, irrelevant, and merely uninteresting, killing any seriousness that should have been obtained.
To improve information security in an organization, more than just simple awareness is required to change employee security behavior effectively. An effective behavioral change program demands that you carry out an audit of existing practices. The problem areas will be identified and used to inform the design process of the process. Simple information security awareness will not be the answer, and will it sustain behavior change. That means that organizations must design and develop robust and human-centered security programs to address and reduce the number of incidences associated with poor employee security behavior. The motive is to positively influence employee behavior to avoid playing catch or always reacting to incidences. An increase in remote-working due to the COVID-19 pandemic has brought to the attention of cybersecurity professionals the need to strengthen security measures and reinforce security behavior.
These are the critical elements that security teams must look into before influencing behavior:
- Seek to understand the critical factors that influence the security choices made by employees.
- Design and deliver impactful security education, security awareness training, and overall security awareness.
- Design and develop systems and apps and processes and the physical environment that helps to account for user behavior.
- Develop metrics to help to measure behavior change and to show the return on investment (ROI).
Employee acts of negligence and errors may bring about significant financial and reputational damage to the organization. The human element has been associated with data breaches and security incidents. Examples of employee security behavior include how employees handle their passwords, how employees interact with organizational data, and how employees use network resources. User awareness about the laid down information security policies and greater policy visibility encourages compliance with security policies. Security must remain at the forefront in every employee’s mind so that it promotes security-cautious behavior.
Information security awareness refers to employees’ overall knowledge and understanding of potential information security-related issues and their ramifications, and what needs to be done to deal with security-related issues. The creation of human-centered security awareness programs will prove to be the tipping point in ensuring top-notch security for your organization’s networks and data. A good security education program acts as a deterrent, but it must be ongoing for effective deterrence.
Having security-aware employees means that they are well-versed in the organization’s security rules and practices and their responsibilities, and the consequences of abusing the powers.
Significant results include reputational damage, financial losses, and total disruption of business operations. It has been found that when employees understand the purpose of organizational security requirements, they tend to follow existing security rules. The ultimate goal of security education and awareness is to empower users in making the right decisions through regular reminders of the guidelines on acceptable use of information systems and the potential outcomes if users fail to follow the provided guidelines. These programs are based upon understanding people and designing initiatives that promote behavior change and reduce the number of security incidents associated with human error or negligence.
The ideal program helps to build synergy between departments to understand the prevailing state of security behavior fully. The organization will then more to allocate more investment to help address the identified risks. Large organizations may face challenges before an awareness program goes out to the employees since it must get other departments’ approvals, such as corporate communications and human resources. Issues that arise are where these departments have veto power over the IT security team.
Security teams must be empowered enough to run their programs but remain responsible and accountable. Situations whereby good intentions are shot down or watered down to the point that nothing can be done to improve the security situation. Sadly, these other departments shooting down good ideas, carry no responsibility for securing data and networks in the organization.
The information security awareness training program should follow the concept of micro-learning. If you want to succeed in effecting behavior change in the organization, provide employees with frequent, short, and focused training. Microlearning will not be effective at sustaining behavior change if the content is not helpful. The content of the program must be relevant, impactful, and timely.
The benefits of these short but frequent training are eliminating opportunities to forget or dismiss anything about information security. Furthermore, you will not overwhelm them with too much knowledge for just a single session. Achieving the balance will mean that you have won a significant part of the battle to have every employee on board and secure the organization’s data and network. Getting all employees to think about information security will help eliminate or drastically reduce glaring mistakes.
Lastly, the organization must provide the necessary support and resources required to foster employee security behaviors. You will stand to see positive results of all the training is backed with the required tools to do the job. The difference between secure organizations is in following through and not just talking. Make it easy for all employees to put into action the security awareness training they have gotten, and you’ll see the results.
Follow on LinkedIn: Alessandro Civati
Originally published at https://lutinx.com/ on December 27, 2020.