Lately, the media has been full of major news stories relating to security breaches at well-known companies. Breaches such as those at Target, Staples and Home Depot have moved security stories from the domain of the information security press into mainstream media stories. The news stories talk of sophisticated attackers using advanced techniques to breach the security of these organizations.

However, are these attacks due to the technical prowess of the attackers or ineffective security awareness programs in those companies? If we look at these breaches more closely, we can identify one common element. That is the human factor. In nearly every security breach actions, either intentional or accidental, by someone in the victim companies led to the security breach.

Study after study also highlights how the human element is a key factor in successful security breaches. The IBM Security Services 2014 Cyber Security Intelligence Index highlights that “95% of all incidents involved some form of “human error”. These errors ranged from clicking on links and attachments in emails, using weak passwords, or using default system settings. Given that many of the breached organizations spent lots of money on security awareness programs, why are we still seeing the human element being such a major contributing factor?

While IT security staff may find information about computer viruses, the latest exploits, and current hacking technique, in reality most people would rather be thinking about something else. They have their own busy work days, deadlines to meet, and a myriad of other demands on their time. In many other cases, the security awareness program has been developed to meet a compliance requirement resulting in the focus being on number of staff attending the awareness session rather than on ensuring the content is relevant to the business and the job roles of the attendees. Finally, most security awareness programs fail because no deliverable s and metrics on their effectiveness have been identified. Simply put, in many cases security awareness programs do not engage staff.

If we look at how road safety campaigns have developed over the years we can see how they’ve progressed from simply making people aware of the rules of the road to modern adverts providing impactful content on why it is important to drive safely. Similar to the old road safety campaigns, simply making staff aware of security issues is not enough to ensure they behave in a secure manner. People have busy work and personal lives and many will look to complete their tasks quickly without thinking about the security implications. As such, we need to move away from a security awareness approach to enabling staff to be more secure, by developing a security engagement program whereby people will become equipped to deal with the security threats they face.

An effective security engagement program should be aligned with the overall business needs and the goals of the organization. The security engagement program should be different for a computer company than it would be for a financial institution or an organization in healthcare. The program should also take into account the cultural aspects of staff located in different offices with a particular focus on localizing the content for staff located in regional offices. A U.S. centric security awareness program will not engage an Asian or European audience. Similarly, the content of the program needs to be targeted at the intended audience. Content and key messages delivered to the sales team should be relevant to their role, as should content for the senior management team, and all other areas in the business. Another way to engage the audience is to use psychological hooks to get the attendees attention, such as highlighting safe online computing use for their own personal use. Good habits developed for personal use will equally apply in the corporate environment.

While criminals will look to exploit security vulnerabilities in applications and systems, they will also look to target weaknesses in the people that use those systems and applications. Aligning security education with the needs of the individual will provide a dynamic security engagement program that will be a key element in ensuring a robust security infrastructure.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…