In 2022, the total damage by cyberattacks reached $6 trillion, with $8 trillion in damages predicted in 2023, growing to $10.5 trillion by 2025. Some 33 billion accounts are expected to be breached in 2023 alone, according to the EC Council CyberSecurity Exchange. Clearly, companies need to quickly transform their security posture. We believe the key to success is effectively managing the people side of change.
Deploying the latest technologies can help protect systems, data, physical assets and business processes from malicious and accidental damage. But people, not systems, install and maintain the technology, keep software up to date, recognize suspicious traffic and respond to incidents.
Unaware or poorly trained employees can be the weakest link in security, significantly decreasing the effectiveness of technological defenses and too often providing cybercriminals an easy way into an organization. In fact, employee carelessness, criminal theft of information for financial gain, and malicious damage or leaking of sensitive data rank among the top worldwide information security risks.
Harden the human factor with security awareness
An organization with security-aware employees who are motivated and knowledgeable about how to protect company assets can dramatically reduce security risks.
One of the best ways to embed security values into the organization is a security awareness campaign. The campaign can range from several months to “always on” and should accomplish these goals:
- Build a strong security culture
- Educate and train employees
- Help employees recognize and appropriately respond to security concerns
- Provide up-to-date information to keep employees knowledgeable about new risks and appropriate risk response
- Keep employees aware that the data on their computers and mobile devices is valuable and vulnerable
- Promote security as a competitive advantage for the organization
- Protect and enhance the organization's reputation and brand
Why transformations fail
Ignoring the people side of change increases the risk of transformational failure and leads to employee resistance, program redesigns and delays.
In fact, most transformations do not fully attain the desired results. Research by BCG found that only 30% of transformation programs are completed successfully, which means that 70% of all transformations do not achieve their goals.
The most common mistakes:
- Unclearly communicated vision and strategy
- Employee resistance towards the change
- Lack of knowledge and skills
- No role model behavior from senior management
If these people factors aren’t addressed in a security transformation, employees may understand the security risks, but may not adopt the desired behavior because they feel:
- Burdened by complex passwords and other added security measures
- Conflicted by security behavior that contradicts their understanding of polite social behavior, such as challenging suspicious requests, refusing to share passwords and doublechecking email sources
- Unprepared to detect security risks and overwhelmed by their complexity
- Less inclined to accept policies if management does not lead by example
How to manage the people side of change
Proactive, people-centered transformation raises the chances of success by building engagement and commitment early in the process. Successful management of change (MoC):
- Takes a systematic approach to managing change and transformation
- Considers both organizational and individual perspectives
- Applies MoC and communication techniques to increase acceptance of the change
- Maximizes the benefits of change to organizations and individuals
- Assures adoption of change and anchors it within the organization
At an organizational level, successful MoC clarifies the impact to the business and makes sure important elements align to support the chosen path:
- Organizational culture, values and policies
- Organizational setup, business structures and regional levels
- Processes and procedures
- Roles and responsibilities
- New knowledge, competencies and skills employees will need in the future state
On an individual level, effective change helps employees transition to a future state where security tasks are part of everyone’s daily routine.
People affected by change — both employees and managers — need time to adapt, and the transformation plan should accommodate varying timelines. A team that is part of a pilot program, for instance, might start the change process months before larger groups of employees.
Five building blocks for security awareness change
Successful individual change relies on five building blocks:
Five building blocks of security awareness
1) Understand and accept the need for change
A successful transformation helps employees understand the need to develop into a security-aware organization, as well as communicates the specifics of the timeline, what will and will not change, and why. Here are some ways to spread the word:
- Communicate the need for change as an engaging story within the context of the organization, sharing examples of previous attacks or security events inside and outside the organization, and their impact.
- Tailor communication to target groups by leveraging various media and internal communication channels, including emails, newsletters, posters, flyer, booklets and calendars. Emphasize the message with diagrams, pictures, text and audio.
- Send regular reminders to strengthen the message and make sure it reaches everyone.
- Increase awareness and understanding through hacking demonstrations, social engineering role plays, sample scenarios and opportunities to experience the changes in model offices.
2) Desire to participate and support the change
Although the stability of an organization may benefit individuals, it is rarely a sufficiently motivating factor for effecting individual change. A successful security awareness campaign clearly promotes the benefits for both the individual and the organization as well as explains the risk to both of not changing.
Consider these ways to increase employee interest and engagement:
- Enumerate individual benefits like increased professional qualifications from the new security knowledge and experience with tools
- Combine education and fun:
- Organize competitive games to improve security skills and knowledge
- Nominate people for specific roles, such as a security ambassador for each team, to recognize individuals’ security awareness
- Adapt policies, rules and procedures — including penalties for non-conformance — to the desired future behavior
3) Knowledge of how to change
Employees need proper training to recognize security risks and adapt to new tools and processes. Willingness to participate in regular training increases if the content is tailored to the employee’s role and knowledge. Here are some tips:
- Tailor training to the target audience’s level of responsibility, technical knowledge and access to sensitive information. Include specific details as needed.
- Incorporate various channels, approaches and media: e-learning, classroom training, VIP training, videos and newsletters.
- Provide regular and continuously available training
4) Implement the required skills and behaviors
Management commitment is key to establishing a culture and environment that make security-aware behavior the norm. Here’s how to help employees see new knowledge and processes as a benefit rather than a burden:
- Encourage managers to act as role models, comply with the same rules and show the same behavior required from regular employees.
- Promote correct behavior by clearly communicating consequences for intentional violation of security measures as well as through benefits and recognition.
- Make multi-factor authentication (MFA), password rules, log-on routines and other security tools as user friendly as possible.
- Establish security awareness as normal behavior through consistent messages and reminders about the desired state.
5) Make the change sustainable
Here’s how to sustain and build on hard-won gains:
- Define applicable controls to verify the effectiveness of security awareness measures. Mature learning tools, for example, typically include a set of built-in metrics to measure the training’s acceptance and success.
- Use surveys, feedback tools and other measurements to assess the effectiveness of the awareness campaign, analyze successes and pinpoint areas for improvement.
- Openly recognize first achievements and good results to reflect the importance of the security transformation; then, continually work on gaps and implement improvement activities to sustain the transformation.
- Deploy phishing simulations and similar tests to verify security awareness and the ability to recognize threats.
- Keep employees’ knowledge up to date and awareness at a high level by publicizing new threats and risks in regular communication and training.
Security awareness never ends
Launching an official security awareness campaign that includes the people aspect of change is an effective way to increase an organization’s security awareness, but in truth, effective security campaigns never really end. New threats and threat actors are constantly emerging; keeping employees informed and armed to deal with them is a continuous process that requires vigilance, communication and cooperation.
Transformation is an ongoing process that starts with first steps and evolves over time to meet the organization’s needs as well as the ever-changing security landscape.
A security-aware organization creates a culture of security and constantly empowers employees with the tools, behaviors and attitudes they need to protect their organization’s assets every day. The human factor then transforms from the weakest link to a strong force for an organization’s IT and information security.
About the author
Jelka Neumann is global performance improvement lead for DXC Technology’s Security offering. She has 25 years of experience in project and program management, including deep expertise in the successful remediation of red projects. Jelka leads initiatives to help customers increase security awareness through training and cyberattack simulations.