Moving Beyond ‘One-And-Done’ Security Awareness
Human firewalling aims to move security awareness from being a conscious choice to an ingrained habit, writes Dani Michaux of KPMG
The world’s largest businesses are spending millions a year on cyber security infrastructure, and yet are still falling prey to hackers. Whether you are a multinational with big IT budgets or an SME, the most important and costeffective way to prevent cyber attacks is addressing the human factor. Firewalls cannot offer full protection, and according to recent research by Stanford University, nine out of ten breaches generally include some element of human error. Many organisations address cyber security with their employees only once a year at a company-wide event or training day. While these events are valuable, the message presented often fails to make any meaningful and necessary change in employee behaviour. In the past, the approach to cyber security across most organisations was to treat it as a ‘one-and-done’ issue. Such approaches won’t cut it anymore. A modern cyber security programme must project a consistent and persistent message that cyber security is an essential part of ‘how we do business’. Cyber security awareness needs to evolve into being an integral part of the business function in order to ensure trust in the marketplace.
HUMAN FIREWALLING
KPMG recently released ‘Human Firewalling’, a global report that explores five steps that organisations should take to build an integrated, holistic approach to employee communication around cyber security. The report recommends: Taking advantage of the science behind adult learning techniques. Using change management to reinforce behaviour. Making training more engaging with innovative technology. Personalising the experience to make it memorable. Organising around a theme that’s communicated regularly. Human firewalling aims to move security awareness from being a conscious choice to an ingrained habit. The message must reach the part of the brain where it becomes
EMOTIONAL ENGAGEMENT
second nature. It needs to leverage the highly visible and vocal support of your C-suite and senior leadership, as they lead by example. Staff also need to be engaged at an emotional level. Cyber security awareness programmes need to inspire employees to become better digital citizens and improve their practices not only at work, but at home too, as most employers have now adopted hybrid work models. Striking an emotional chord is essential to landing the message with employees. This isn’t as difficult as it may sound. Bulletins that are educational and stay on topic, making reference to timely or relevant examples, can be created and distributed monthly. Regular alerts should be sent out to remind employees to take certain actions, such as changing their passwords or ensuring they are securing their IT equipment properly. Organisations should also ensure that they are using their employees to drive the message home. The development of cyber role models and digital trust champions, and celebrating the success of your employees in protecting the business, is key to human firewalling success.
MEASURING SUCCESS
It’s also important to measure that success. As you roll out your human firewalling programme, keep track of the number of suspicious emails being reported, the participation in any live events or training modules, and the feedback of employees on the effectiveness of your communications. If you are successfully enabling your employees to become human firewalls, the results should be easily visible.
Download the KPMG ‘Human Firewalling’ report at kpmg.ie/cyber