This is a time of increasingly sophisticated malware, ransomware, and social engineering attacks, many of which have led to high-profile data leaks and steep ransom demands. It seems as if almost every day we hear of another company that has become victim of a cyber-attack. And while today, cybersecurity and preparedness rank high on every organization’s priority list, one single mistake by a well-meaning employee can lead to a breach.
Human behavior continues to drive breaches. And the numbers are bleak: according to Dr Erik Huffman, who specialises in the field of ‘cyberpsychology’, which looks at the impact of human behavior on cybersecurity, 93% of cyber-attacks start with people instead of technology.
According to statistics published by Statista Research Department, Chief Information Security Officers (CISOs) around the world overwhelmingly agree that human error is their organization’s biggest cyber vulnerability as of 2021. The increased awareness that not technology but people keep an organization secure highlight the importance of having a strong culture of security in which assumptions, mindsets, communication and behaviors contribute to a secure environment instead of compromising it.
Mind the mental gap
For most employees, cybersecurity is a topic of emotional extremes. On the one hand there is indifference (to yet another email from the IT department), and on the other, there is fear (of doing something wrong) or shame (of having done something wrong). Even our moods impact the likelihood of unsafe computing behavior. An organization’s cyber adversaries will always seek the easiest path into a network, and often that path goes through people. Scams or social engineering attempts work as often as they do – not only because they’re designed to play on a lack of technical knowledge – but because they trigger strong emotions to feed off our worst fears and insecurities. Add in the fact that the adversaries are growing more and more sophisticated – even going as far as to social engineer IT Help Desks or spoof multifactor authentication requests – and it is clear that the average employee is much more at risk of becoming an unwilling or unknowing patient zero.
It makes sense then, that part of a strong cyber resilience and communications strategy should include a thorough understanding of what motivates and influences people’s behavior when it comes to cybersecurity (before, during and after a cyber-attack) as it adds valuable insights that can be used in training programs, employee communication and culture change initiatives to build a strong culture of security.
How to create a strong culture of security
If humans are considered an organization’s greatest vulnerability when it comes to cybersecurity, it also means they can become its greatest asset and brand ambassadors.
Building a strong culture of security is one in which both the individual aspects of culture (people’s mindsets, attitudes, assumptions, behaviors and the way they communicate) and the shared aspects of culture (narratives, structures, processes, policies and social dynamics) support safe behaviors and a secure information and data environment. But creating a strong culture of security is not just about training people to avoid phishing emails or providing password management guidelines.
From our experience helping clients across industries – from Fortune 500 firms to start-ups – assess and evolve their security culture, we’ve found that these 10 people and communications-focused considerations are game changers:
- Elevate the conversation – cybersecurity should be a business topic and conversation, not just an IT one. Are employees aware of the key information security risk areas of the organization? Do business leaders regularly communicate about the importance of security to the business, focusing not only on ‘what’ and ‘how’ but most importantly why is it important?
- Own the topic together – creating a strong culture of security is a shared responsibility. While the CISO may drive the topic, it should be co-owned and messaging should be driven by both business leaders and the relevant functional departments (HR, Legal, Compliance, Communication). FTI’s own research confirms the CISO’s struggle to communicate and resonate in this regard: 63% feel that their concerns are not fully understood by or aligned with senior leadership priorities.
- Understand your current culture of security – what you measure, you can manage. Get a clear view on how your employees feel about your current cybersecurity culture and the way in which its communicated to them: this will help the business to understand where pressures are coming from to take risks, as well as where the weaknesses are and what you need to fix, plus the cultural and communications strengths that already exist that you can put to work.
- Define what success looks like – not from a technology perspective, but from a people, culture, communications and business perspective. When you have achieved what? When people do and say what and how do they behave?
- Mind the mental gap – Make sure to understand the mindsets, motivations and emotional influencers that impact people’s behavior and address these psychological components in training programs, communication and culture change initiatives.
- Involve people – Involve personal communications from leaders, people managers and employees in building a strong culture of security instead of just pushing policies and procedures down through the organization via impersonal emails from the IT team.
- Hold everyone accountable – Accountability for cyber and information security should run throughout the organization – across all levels and functions. Clearly communicate to people what their role and responsibility is in keeping the organization safe. Define and communicate set security goals per role and/or function and make it a metric in everyone’s performance evaluation. Some companies are even going as far as to tie a cybersecurity goal to annual performance and compensation to make sure it resonates company-wide and is treated as a priority by everyone.
- Communicate, communicate, communicate – Don’t delegate cyber security communication to the IT department only: make it part of day-to-day business conversations. Do leaders talk about it in relation to the business? Is it part of management team business discussions? When talking about it, do you use language and concrete examples that employees can relate to? Do you use engaging channels and formats like videos, success stories, podcasts and infographics?
- Prepare, train, test – Regardless of whether it is via an employee or an external perpetrator, if a breach has occurred, action must be taken quickly. Involving the right people, making the right decisions – in the right order, and communicating the right information at the right time while under extreme stress takes preparation and planning. Set up an incident response team and coordinating crisis communications protocol, conduct tabletop exercises and then prepare and train your leaders to lead calmly and confidently under the worst circumstances. Don’t let a cyber-attack be your first fire drill test case.
- Bring in the experts and share the ‘war stories’ – whether it’s at board level or at a town hall, people listen to those who have been there before. If your organization engages in an external speaker series or has a learning and development program that brings in external views to communicate about important topics – have someone come talk about their experience having gone through a breach and share what they’ve learned!
Those looking to hack, extort and disrupt corporations are always looking to find new ways of doing so, and often the easiest route to success is through people. Nurturing awareness of security risks and a better understanding of their impact on the business is the first – and most vital step in building a safer information environment. Creating a strong culture of security that tasks every member of an organization with embracing attitudes and beliefs that drive secure behaviors should be part of every company’s cyber resilience strategy. With proper guidance and investment, your people can become your strongest asset and first – and best – line of defence.
How we can help
FTI Consulting’s Cybersecurity and Data Privacy Communications practice is one of the only, and the largest, cross-border crisis communications practices in the industry that is specialized in cybersecurity.
Our industry partners and clients turn to FTI for expert crisis communications counsel and support throughout the entire lifecycle of a cyber incident, helping them assess and mitigate risks, build a strong culture of security and preserve their reputation before, during, and after an attack. We approach cybersecurity issues from a multi-stakeholder lens. Our breadth of experience and multidisciplinary approach have positioned FTI as a well-respected and influential advisor in the cybersecurity space working alongside of our partners, which include industry-leading forensic investigators, cyber insurers, legal counsel, and breach coaches.
Please contact one of the authors with any questions about cyber preparedness or incident response: Meredith Griffanti, Global Head of Cybersecurity & Data Privacy Communications, meredith.griffanti@fticonsulting.com & Sabine Clappaert, Managing Director, People & Transformation sabine.clappaert@fticonsulting.com
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2023 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com