Hard Target: An Employee Behavior Change Approach to Cyber-Security

Big or small, publicly held or privately owned, every business is worried it will be the next victim of a cyber-attack.

They’re right to be concerned.

Hackers launch thousands of attacks each day to gain access to private networks and sensitive data. With the average cost of each successful data breach approaching $4 million, the cyber-attack pandemic is like a lottery no business wants to play: millions of chances each year to lose millions of dollars.

To defend themselves, companies worldwide will spend more than $80 billion on cyber-security hardware, software and services in 2017. But that investment will do little to address one of the weakest links in the data security defense chain: employee behavior.

With each new attack—like the recent WannaCry ransomware outbreak, which spread through phishing emails—we’re reminded that employees are one of hackers’ favorite ways to break into a network.

The good news: It is possible to transform employees from a hacker target to frontline cyber defense assets. We’ve identified three keys to engaging employees in the fight against cyber-attacks:

1. Find Your Blocks: Identify blocks and barriers and determine how to overcome them. Employees don’t need a computer engineering degree to thwart hackers. The actions to do so aren’t complicated, so why don’t more employees do them?

Psychometrics and other techniques identify real and perceived emotional barriers to behavior change. Sometimes these barriers are technological, such as systems that require employees to create and remember multiple usernames and passwords. Sometimes they are emotional, such as the defeatist attitude that getting hacked is inevitable.

True or false, rational or irrational, these blocks and barriers are real. Effective behavior change campaigns are built on a research foundation that explains what these blocks are and why they exist. A company should put the time and effort into understanding these blocks and barriers.

2. Share Accountability: Ensure employees understand their role in protecting your data. A common hurdle is employees’ belief that data security is something the IT department handles; but some of the greatest vulnerabilities are human, not technological.

For example, one type of hacker referred to as ‘social engineers’ specializes in manipulating employees to divulge sensitive information. This type of attack doesn’t require a computer, it’s simply a conversation between the hacker and the employee.

Undeniably, employees have a critical role to play in securing company information. But understanding their role and believing it’s central to their accountabilities are two different things. The subtle danger is that employees will think of data security like fire drills: important but not something they do every day. To change this perception, organizations need to demonstrate that security is a priority from the top down and bottom up.

3. Practice Makes Perfect: Using engaging training and gamification—creating games that teach employees cyber-defense behaviors in an interactive way—bring cyber-security best practices to life for employees. Too often, employee data security education is a once-a-year exercise to affirm employees were exposed to data security policies. This approach may be necessary for compliance, but it’s not sufficient to change employee behaviors.

Like any other behavior, cyber-defense techniques are only effective when they are practiced. Gamification is one way to ensure employees remain vigilant and use the techniques in their day-to-day work so that best practices become ingrained behaviors.

There is no opting-out of cyber-risk; if your company has a network, it’s a target. By extension, so are the employees who use that network. Their behavior makes them either a vulnerability for hackers to exploit or a frontline cyber-defense asset.

Which will it be for your company’s employees?