Cybersecurity awareness requires ongoing campaigns to be internalized by the employees
Almost all medium-sized and large companies have experienced cyber attacks. Companies that claim not to have experienced one probably didn't find out.
Attacks cost $5.5 trillion worldwide just in 2020, more than Brazil's GDP, according to the ENISA - European Network and Information Security Agency.
After countless attacks, billion-dollar losses, and tarnished reputations, not many companies underestimate cyber attacks. Cyber attacks were the biggest threat for 64% of the Brazilian companies participating in the 11th edition of the Allianz Risk Barometer.
Cybersecurity awareness has led large organizations to invest heavily in an infrastructure to protect against hackers. This is important - but not enough. Most organizations have failed to focus on the most critical element of a cyber attack: their people.
Unfortunately, those who believe they will be protected only by hiring the best threat and attack prevention technology are mistaken.
It is no overstatement to say that the greatest vulnerability in a company lies in the employees' behavior. Nine out of ten attacks exploit human error.
People are the biggest entry channel for cyber attackers. It can take many forms: from opening a malicious email, or downloading a malicious file, to sharing sensitive company information in a spoof survey.
Hackers are very creative. A simple inattentive behavior from an employee will be enough to bypass a company's cybersecurity systems.
Many companies believe that a few lectures or email messages warning about the problem and giving security tips will be enough to solve this vulnerability. But this is not enough.
Organizations must handle cybersecurity with their employees like they handle diversity matters. How? Frequently and intensely.
In other words, while an email or a lecture is not enough to change the organization's culture about the importance of gender equity, cybersecurity awareness requires ongoing campaigns to be internalized by the employees.
Campaigns must be practical and presenting cases from other companies as a warning does not work. The usual thought behind such an approach is disdain: "It wouldn't happen here."
For this reason, we must create campaigns based on the company's reality. This includes feasible simulations of the employees' daily routine, lectures, tests, gamification, success and failure cases, and good practice recognition.
The initiatives should reflect the employees' behavior related to the organization's culture.
For example, in some environments, a more playful exercise may not bring the required engagement in a specific company, which will have more success with a more "assertive" action. In other companies, the effect may be the opposite.
The action has five steps involved:
- Identify risk environments for each group to design digital transformation plans and roadmaps.
- Raise cybersecurity awareness among everyone in the organization.
- Promote sustainable cybersecurity behaviors to protect people at work and in the personal environment.
- Take incremental actions to change people's behaviors.
- Evaluate people's behaviors to understand their development level through metrics.
Different departments should work together, such as Marketing and Human Resources, as well as IT. Companies must focus on their employees as the first - and primary - line of defense against cyber attacks. Otherwise, rather than a fortress, they will be a vulnerability.