{{item.title}}
Cyber attacks are on the rise as threat actors use increasingly sophisticated means of infiltration.
There is growing recognition that human behaviour needs to be addressed to reduce cyber risk.
To be effective, personalised, evidence-based training built on sophisticated metrics are needed.
In the past year cyber attacks caused havoc in healthcare, critical infrastructure, financial services, media IT, transport and supply chains.1 Indeed, 2020 was one of the worst years on record for cyber attacks around the world and in Australia, and 2021 is not faring much better.2
Recent regulatory changes such as the Security Legislation Amendment (Critical Infrastructure) Bill 2020, aim to increase the obligations upon businesses to prepare and respond to attacks.3 But at the same time, awareness is growing that human behaviour is a crucial component that can either make or break an organisation’s cyber security success, regardless of the sophistication of its planning. In 2020, 85 percent of breaches involved a human element.4
As attacks become more sophisticated a paradigm shift is needed to improve current risk-reduction techniques and practices. This will mean addressing risk — and one of those will be your own people.
To be cyber resilient, your organisation needs to use strong, securely maintained digital networks, and encourage individuals to consistently behave in a cyber-secure way. But confronting the human element of cyber-related risk goes beyond raising awareness and ‘point in time’ training, to truly understanding what causes people to behave in various ways and then tailoring actions and initiatives to suit the specific makeup of your business.
This requires an enterprise-wide response, and solutions that can target and nudge the behaviour of each and every individual in your workforce. Along with gaining a deeper understanding of the organisation’s overall cyber culture, you will need to address the behaviours that are enabling successful attacks.
In their recent report, Human Risk in Cybersecurity, SecurityAdvisor outlined how today’s cyber criminals are taking advantage of cognitive biases — the mental shortcuts humans make in decision-making — to perpetrate attacks by manipulating employees’ thoughts and actions.5
The top cognitive bias SecurityAdvisor reported in phishing attacks was the Halo Effect, which they estimate makes up 29 percent of all phishing emails analysed. With this bias, criminals take advantage of prior positive impressions by impersonating a trusted entity. For example, by contacting your employees and pretending to be your very own IT team.
These types of attacks are harder to guard against, because employees often think they are being cyber savvy, such as only clicking on emails from people that they think they know.
Traditional efforts to train employees against sophisticated attacks have faced an uphill battle. Awareness alone is not always sufficient in creating a cyber safe culture if underlying perceptions and attitudes conflict with the adoption of cyber safe practices.
Unsurprisingly, many approaches tend to focus on coverage-related metrics such as attendance at training sessions, engagement with cyber information, searches for cyber content or completion rates of training modules.
However, these measures have limited success when it comes to behavioural change and don’t provide enough insight to improve training, operational practices or systems that influence daily decision-making.
To affect behavioural change in regards to cyber, start by taking stock of how your current cyber behaviours and organisational cultural traits are helping or hindering your workforce’s ability to achieve strategic cyber outcomes.
A more holistic view can be gained by using a combination of data gathering techniques.
By utilising a range of methods, such as surveys, focus groups, documentation reviews and data from security tools, you will be able to identify:
Key behavioural drivers (such as favourable or unfavourable employee perceptions regarding cyber capabilities, operating practices, individual behaviours and systems)
Actions that employees take when it comes to cyber (such as data on individuals making risky cyber decisions via phishing simulators, email filtering, cloud monitoring, data loss prevention or, security incident alerts)
This data will help quantify and gain insights into the ‘why’ and ‘what’ of cyber decision-making.
Additionally, a cultural trait analysis will reveal the ‘personality’ of your organisation and help quantify its key characteristics. Is it authoritative or participative (do your people expect to be told what to do, or like to have the tools to direct themselves?), proactive or reactive (do they forward-plan, or wait to see what happens?). This will allow you to adjust your training to the way that your people like to work, increasing its effectiveness.
By understanding how your people make decisions (backed by data), and taking into consideration how people behave — whether in responding to a phishing email or managing their passwords — it is possible to tailor interventions that nudge them towards desired behaviours. One example of such intervention is rooted in behavioural economics, providing ‘just in time’ training (that is, when the behaviour occurs) to create a positive feedback loop — and continuous reinforcement that will influence that behaviour going forward.6
These nudges can be applied to all sorts of cyber-related risks through integration with your existing security tools. When an employee finds themselves in one of these potential trouble areas (malware downloads, phishing, stolen credentials, visiting risky websites, use of unauthorised shadow IT or USBs all the way to data breaches and deliberate threats), use of automation and detection via behaviour management tools can be used to trigger a real-time ‘just in time’ notification that alert the user to a sub-optimal action they have taken.
From downloading adware, installing an unsafe browser plugin or download manager, connecting an unknown bluetooth device or sending info to personal cloud storage, each action can be used as a teachable moment. Rather than alerting a user to the error alone, good, automated cyber prevention will go further towards creating behavioural change by explaining why these actions can cause issues, providing links to resources and training modules, or even one-on-one coaching.
Conversely, of course, desirable behaviours, such as reporting a phishing email, can be reinforced in the same way through rewards and real-time feedback — for instance, via an onscreen acknowledgment message of a user’s successful decision.
As an added benefit, ‘just in time’ nudging will also allow you to track reductions in incidents, malware infections and policy violations over time, and report evidence-backed improvements in security. While you will need to ensure that the operational practices, systems and tools are in place that allow employees to make the best cyber decisions, enlisting behavioural ‘nudging’ to make good use of teachable moments will add a crucial extra level of security.
Cyber attacks on Australian businesses were detected twice as often in 2020 as in 2019, and ransomware attacks are on the rise in many industries. Organisations have to strengthen their security measures to meet these evolving risks.
Behavioural data can help explain why your people make certain decisions, and in response, enable you to utilise real-time, personal feedback to change their decision-making process. By combining perception and technological metrics, what and why your workforce is doing in regards to cyber behaviours will be clearer and allow you to intervene more effectively before an attack strikes.
For more information on protecting your business from cyber threats, visit PwC Australia’s cyber security hub.
Get the latest in your inbox weekly. Sign up for the Digital Pulse newsletter.
Sign Up
Theme Enter theme here
Ambika is a director in PwC Australia’s cyber security practice.
References
© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.