Business Plus

Moving Beyond ‘One-And-Done’ Security Awareness

Human firewallin­g aims to move security awareness from being a conscious choice to an ingrained habit, writes Dani Michaux of KPMG

- Dani Michaux EMA Cyber Leader, KPMG Ireland

The world’s largest businesses are spending millions a year on cyber security infrastruc­ture, and yet are still falling prey to hackers. Whether you are a multinatio­nal with big IT budgets or an SME, the most important and costeffect­ive way to prevent cyber attacks is addressing the human factor. Firewalls cannot offer full protection, and according to recent research by Stanford University, nine out of ten breaches generally include some element of human error. Many organisati­ons address cyber security with their employees only once a year at a company-wide event or training day. While these events are valuable, the message presented often fails to make any meaningful and necessary change in employee behaviour. In the past, the approach to cyber security across most organisati­ons was to treat it as a ‘one-and-done’ issue. Such approaches won’t cut it anymore. A modern cyber security programme must project a consistent and persistent message that cyber security is an essential part of ‘how we do business’. Cyber security awareness needs to evolve into being an integral part of the business function in order to ensure trust in the marketplac­e.


KPMG recently released ‘Human Firewallin­g’, a global report that explores five steps that organisati­ons should take to build an integrated, holistic approach to employee communicat­ion around cyber security. The report recommends: Taking advantage of the science behind adult learning techniques. Using change management to reinforce behaviour. Making training more engaging with innovative technology. Personalis­ing the experience to make it memorable. Organising around a theme that’s communicat­ed regularly. Human firewallin­g aims to move security awareness from being a conscious choice to an ingrained habit. The message must reach the part of the brain where it becomes


second nature. It needs to leverage the highly visible and vocal support of your C-suite and senior leadership, as they lead by example. Staff also need to be engaged at an emotional level. Cyber security awareness programmes need to inspire employees to become better digital citizens and improve their practices not only at work, but at home too, as most employers have now adopted hybrid work models. Striking an emotional chord is essential to landing the message with employees. This isn’t as difficult as it may sound. Bulletins that are educationa­l and stay on topic, making reference to timely or relevant examples, can be created and distribute­d monthly. Regular alerts should be sent out to remind employees to take certain actions, such as changing their passwords or ensuring they are securing their IT equipment properly. Organisati­ons should also ensure that they are using their employees to drive the message home. The developmen­t of cyber role models and digital trust champions, and celebratin­g the success of your employees in protecting the business, is key to human firewallin­g success.


It’s also important to measure that success. As you roll out your human firewallin­g programme, keep track of the number of suspicious emails being reported, the participat­ion in any live events or training modules, and the feedback of employees on the effectiven­ess of your communicat­ions. If you are successful­ly enabling your employees to become human firewalls, the results should be easily visible.

Download the KPMG ‘Human Firewallin­g’ report at

 ?? ??

Newspapers in English

Newspapers from Ireland