“It takes 20 years to build a reputation and five minutes to ruin it” (Warren Buffett)
Board meetings will never be the same again! Following a number of high profile cyber-attacks and embarrassing boardroom apologies in the UK over the last 6 months, business leaders are now realising the real damage that a cyber-attack can have on their organisation. Hard won reputations, both corporate and personal, competitive advantage and market value are all at risk.
Global investment on cybersecurity technologies continues to rise. Symantec’s Internet Security Threat Report, released in April 2016, reports that they “…discovered more than 430 million unique new pieces of malware in 2015, up 36 percent from the year before. Perhaps what is most remarkable is that these numbers no longer surprise us. As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Attacks against businesses hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.”
But there’s something missing between our continued investment in and expectation that technology can solve the problem of the growing number of cyber-attacks.
Verizon’s 2015 Annual data breach report highlighted one stark fact. The great majority – estimated to be 90% – of successful cyber-attacks succeed because of human error. Anyone in any organisation, irrespective of their role or seniority, can enable an attack to succeed typically through their unwitting actions. Put more simply, cyber-attackers often find it easier to communicate and engage with our people than we do. How confident are you that your people are displaying the appropriate behaviours and understanding in the practical things needed to effectively protect the information and systems most precious and valuable to your organisation?
The challenge appears clear. All our people must play a more significant and specific role in our organisational resilience. The sad truth is that most organisations typically only educate their people in their annual information security awareness e-Learning, and it’s widely acknowledged that this yearly, compliance ‘tick-box’ approach to learning fails to engage and has little or no impact on your people’s cyber behaviours.
So can e-Learning really change behaviours?
Yes. But not in its current form. In this vital area of staff training and development, one size doesn’t fit all, and the current ‘all staff, once a year’ approach simply doesn’t influence or change behaviours in the long term. At best it reminds us of some essentials, at worst it’s treated as unnecessary, a distraction and as something ‘I have to do’. Annual eLearning will not instil and sustain the cyber resilient behaviours that employees need today. We’re trying to ‘program’ our people in the same way we program computers to do certain things, in certain ways at certain times. It doesn’t work.
A new approach is required – one where information security or cyber awareness learning is conceived as a continuous, ongoing and sustainable campaign over time. Just as our technical security controls will evolve and adapt to suit changing cyber threats and vulnerabilities, we need to ensure all our people maintain their awareness and are provided with the appropriate, practical guidance on a continual basis that fits the needs and requirements of the particular organisation.
RESILIA Awareness Learning modules have been designed to do just that. They provide your people with the knowledge, skills and confidence to adopt new behaviours in order to grow your firm’s cyber resilience, and use a range of innovative learning tools and techniques that build, maintain and measure the effectiveness of the awareness learning provided to your workforce.
It’s just a matter of time before you’ll be expected to respond to a successful attack or significant data breach. Where would you rather be?
Nick Wilding, General Manager of Cyber Resilience and Gemma Moorhead, Marketing Lead at AXELOS Global Best Practice – a joint venture company co-owned by the UK Government and Capita plc – which owns and develops a number of best practice methodologies, including ITIL® and PRINCE2®, are responsible for RESILIA™ Global Best Practice – a portfolio of cyber resilience best practice publications, certified training, all staff awareness learning and leadership engagement tools designed to put the ‘human factor’ – your people – at the centre of your cyber resilience strategy, enabling you to effectively recognize, respond to and recover from cyber-attacks.