According to data from a recent report, only 60% of office workers worldwide believe their company is resilient against cyberattacks. Nearly one in four (23%) admit to not knowing, while nearly one in five (18%) flat-out think it isn’t.
In the anonymous, write-in responses to the survey, many workers agreed that their employers could be doing more to support them and ensure their security. When asked to elaborate on why they didn’t believe their company was resilient against attacks, the most-repeated answers were along the following lines:
My company has been hacked before.
My company doesn’t prioritize security/security spend.
My company’s equipment and software are poorly maintained.
My company outsources its security, so we have no direct control.
I still get phishing emails. Our filtering must not be good enough.
These types of responses highlight two things: a general lack of faith in the company’s security and the perception that companies aren’t investing enough in security systems OR their employees. When considered alongside another question from the survey, there seems to be a third factor at play: there is also confusion as to who should be responsible for a company’s cyber resilience in the first place.
Overall, only 14% of office workers worldwide consider cyber resilience to be a responsibility all employees share. If workers also feel their companies don’t invest enough in them or the tools that protect them, it makes sense that they might not feel like cyber resilience is something they should worry about. If a person feels their employer doesn’t value them appropriately or empower them with the right tools to do their jobs, then the notion of having to expend one’s own time and energy on the company’s security could rankle. So how do you overcome the challenge of personal investment?
How to empower your people and your security
Dr. Prashanth Rajivan, cybersecurity and human behavior expert, says businesses that want to foster a feeling of personal investment must first tackle the notion of shared responsibility. He explains that, when people perceive themselves to have a greater responsibility to others, their average level of willingness to engage in risky behavior decreases.
“If you’re asking individuals to make changes to their own behavior for the greater safety of all, then you need to make it clear that you are willing to invest in them. By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture.” – Prashanth Rajivan, Ph.D.
One way to both empower your workforce to become a strong first line of defense while also demonstrating investment is by implementing a security awareness training program with phishing simulations, as well as giving employees enough time to carefully and thoughtfully complete the learning exercises and understand any applicable feedback.
According to Phil Karcher, principal product manager in charge of Webroot® Security Awareness Training, running regular, up-to-date training on an ongoing basis is one of the best ways to help end users avoid attacks and become a strong first line of defense for the company as a whole.
“Data from Webroot® Security Awareness Training shows that, if you want people to make lasting changes to their behavior, you have to run consistent, relevant training courses and phishing simulations that are also varied enough that people won’t get bored or find them predictable. Running a second simulation makes a dramatic impact — and it only gets better from there.”
– Philipp Karcher, principal product manager, Carbonite + Webroot, OpenText Companies
Number of Phishing Simulations
Dr. Rajivan also reminds us that human behavior is shaped by experience and reinforcement. He and Phil agree that consistency is key for empowering your workforce to become more resilient. But Dr. Rajivan also stresses the importance of feedback over consequences.
“Without appropriate feedback, no amount of training will be effective. And because the average person handles uncertainty poorly, training must include a variety of different scenarios. Human behavior is shaped through varied experiences, with a mix of positive and negative outcomes and applicable feedback.
This feedback and incentive structure needs to be carefully calibrated. Too much could lead to heightened anxiety and false alarms, but too little could lead to underweighted risk, i.e. people knowing the correct actions, but not taking them.”
– Prashanth Rajivan, Ph.D.
As phishing attacks continue to be a primary way that businesses get breached, the need for consistent end user education is clear. And by implementing a regular training regimen, you can demonstrate care and investment in your people, educate employees on scams, risks and what to do if the unthinkable happens, and successfully build cyber resilience into your overall company culture.
To take the first step towards cyber resilience and trial an engaging Security Awareness Training program, Take a Free Trial.
Justine Kurtz is senior copywriter at Webroot, an OpenText company. Read more Webroot guest blogs here.