Posted in Coachable Moments

Coachable Moments: Building Better Cybersecurity Habits

Reading Time: 3 minutes

Human error is the top cause of security incidents, responsible for two-thirds of the nearly three billion records compromised in 2017, according to the IBM X-Force Threat Intelligence Index 2018. The majority of insider threats are also caused by mistakes. A recent study from The Ponemon Institute found that two-thirds of all insider threat incidents were caused by employee or contractor negligence, costing organizations an average of $3.8 million per year.

While these statistics are sobering, they’re also good news for cybersecurity professionals, since bad habits are an inherently fixable problem (with the right training, of course!)

Some organizations have taken cybersecurity awareness training as far as locking employees in an escape room to teach good cybersecurity hygiene. (We do not recommend locking your employees in an escape room, or any room for that matter.)

For example, the National Geospacial-Intelligence Agency signed up with a company called Living Security to put its employees through an extreme training exercise where they’re required to solve problems from both an IT security team’s perspective and a black hat hacker’s perspective to escape the room. This hands-on training shows employees just how easy it is for bad actors to take advantage of simple cybersecurity mistakes.

Even if a company-wide escape room isn’t an option for your organization, there are simple ways to teach good cybersecurity habits, and reinforce them on a regular basis. Here’s a good place to start:

Embed Security Into Existing Workflows

Whenever possible, make the default settings of an employee’s computer or accounts embrace certain security best practices, such as auto-updating and multi-factor authentication (MFA). Employees are more likely to adhere to security policies if they’re automatically enabled and unobstructive to their day-to-day lives.

When onboarding new employees, give them a heads up about the security features you’ve automatically enabled, so they have a deeper understanding of the context behind why a decision was made to implement a certain security best practice.

For example, encourage the use of an automated password manager or single sign-on technology (SSO) for all employees. Explain the need for such a technology by talking about how password reuse can lead to an increased risk of breach. For example, a recent LogMeIn study showed that although 91% of people understood the risks of reusing passwords, 59% of people did it anyway!

Use the News

It seems like nearly every day there’s another cybersecurity breach, hack, or insider threat incident dominating the headlines. More often than not, these incidents are caused by human error. In some cases, one organization’s mistake can serve as a great case study on what not to do.

Whether it’s a two-factor authentication slip-up like the recent Timehop breach, or a social engineering attack like the infamous Anthem breach, use the headlines to demonstrate how a best-practice can lead to the avoidance of a breach. These headlines aren’t intended to scare users, but rather provide some real-world examples of how good security habits can prevent such incidents from occurring.

Try incorporating news into your training sessions on good cybersecurity hygiene and testing employees’ knowledge of how each breach could have been avoided with a specific security best-practice.

Test & Learn

Regular cybersecurity awareness training sessions are essential to maintaining good cybersecurity hygiene across the organization.

For example, NIST provides robust guidelines on how to set up security awareness training, ranging from brown-bag lunch sessions to regular calendar invitations with security training tips.

Rather than have employees who forget about a training session the moment they leave, try regularly testing what they’ve learned in real-world scenarios. For example, run randomized, simulated phishing attacks to see if users can identify what a phishing email looks like. If they fail the test, explain why the email was suspicious, so they’re not tricked by future attempts.

To measure whether employees are retaining the knowledge you’re dropping during security awareness training sessions, try regular quizzes that offer employees a reward, such as a gift card, for effectively completing them on time.

Finally, if your organization uses an insider threat management solution like ObserveIT, you can alert users in real-time when they take an action that’s considered risky or out-of-policy, providing context into their actions and how to avoid them in the future.

Don’t Miss a Coachable Moment

If you like this post, you may like others in our Coachable Moments series, including the latest on recognizing insider threat indicators. As always, feel free to let us know what topic you’d like to see in the future on Twitter @ObserveIT.