Lately, the media has been full of major news stories relating to security breaches at well-known companies. Breaches such as those at Target, Staples and Home Depot have moved security stories from the domain of the information security press into mainstream media stories. The news stories talk of sophisticated attackers using advanced techniques to breach the security of these organizations.

However, are these attacks due to the technical prowess of the attackers or ineffective security awareness programs in those companies? If we look at these breaches more closely, we can identify one common element. That is the human factor. In nearly every security breach actions, either intentional or accidental, by someone in the victim companies led to the security breach.

Study after study also highlights how the human element is a key factor in successful security breaches. The IBM Security Services 2014 Cyber Security Intelligence Index highlights that “95% of all incidents involved some form of “human error”. These errors ranged from clicking on links and attachments in emails, using weak passwords, or using default system settings. Given that many of the breached organizations spent lots of money on security awareness programs, why are we still seeing the human element being such a major contributing factor?

While IT security staff may find information about computer viruses, the latest exploits, and current hacking technique, in reality most people would rather be thinking about something else. They have their own busy work days, deadlines to meet, and a myriad of other demands on their time. In many other cases, the security awareness program has been developed to meet a compliance requirement resulting in the focus being on number of staff attending the awareness session rather than on ensuring the content is relevant to the business and the job roles of the attendees. Finally, most security awareness programs fail because no deliverable s and metrics on their effectiveness have been identified. Simply put, in many cases security awareness programs do not engage staff.

If we look at how road safety campaigns have developed over the years we can see how they’ve progressed from simply making people aware of the rules of the road to modern adverts providing impactful content on why it is important to drive safely. Similar to the old road safety campaigns, simply making staff aware of security issues is not enough to ensure they behave in a secure manner. People have busy work and personal lives and many will look to complete their tasks quickly without thinking about the security implications. As such, we need to move away from a security awareness approach to enabling staff to be more secure, by developing a security engagement program whereby people will become equipped to deal with the security threats they face.

An effective security engagement program should be aligned with the overall business needs and the goals of the organization. The security engagement program should be different for a computer company than it would be for a financial institution or an organization in healthcare. The program should also take into account the cultural aspects of staff located in different offices with a particular focus on localizing the content for staff located in regional offices. A U.S. centric security awareness program will not engage an Asian or European audience. Similarly, the content of the program needs to be targeted at the intended audience. Content and key messages delivered to the sales team should be relevant to their role, as should content for the senior management team, and all other areas in the business. Another way to engage the audience is to use psychological hooks to get the attendees attention, such as highlighting safe online computing use for their own personal use. Good habits developed for personal use will equally apply in the corporate environment.

While criminals will look to exploit security vulnerabilities in applications and systems, they will also look to target weaknesses in the people that use those systems and applications. Aligning security education with the needs of the individual will provide a dynamic security engagement program that will be a key element in ensuring a robust security infrastructure.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…