06 Jul Opinion: All aboard the cyber security train
Zaal Nodjoumi, chief executive officer of Cyber Sense Technologies Ltd looks at how cyber security needs to be taken seriously enterprise-wide
‘Cyber Security’ – Just uttering these words to most people causes them to check out of the conversation before it even starts. From CEOs to entry level employees, all too often the response is, “Uh, cyber security? I don’t know, our IT team looks after that.”
How do you get your workforce to buy-in to the collective understanding that cyber security can no longer be pushed off on to someone else? The time has come where we all have to do our part to keep ourselves and our organizations safe. Unfortunately, what we are seeing today is that even though cyber security budgets can run into the millions and in some cases billions of dollars with the most up-to-date technology, processes and SAT training in place, somehow hackers are still getting through and wreaking havoc.
So, why is this happening and how is it resolved quickly and effectively? Let’s begin with the data. As much as 90-95% of breaches are attributed to some form of human error or insider threat and technology solutions, as sophisticated and current as they may be, can only protect an organization’s perimeter up to 85-93%. That means that almost 100% of breaches are coming from the remaining 7-15% relating to our workforce. So we have to rely heavily on our people to be vigilant and hope that they identify and report anything suspicious instead of doing the wrong thing. This is the real pain point.
To address this risk, organizations turn to security awareness training solutions to educate and develop their workforce on cyber security. Typically, this includes sets of rules in which to follow. Don’t click this, don’t click that, make sure to always…. and so on.
This is followed by simulated phishing tests to see who clicks on links or attachments that they shouldn’t. By doing this exercise, repeat offenders can be identified and CISOs and their teams can have an overall failure rate percentage, typically in the high teens and in some cases worse. This is proving to be catastrophic especially for larger organizations.
Why can this never be an effective approach? For starters, we have to understand that there are different personality types within every workforce. Members of the finance, legal, accounts teams for example are typically risk averse and work based on direction from higher authorities. On the opposite end of the spectrum, you have the individuals that drive businesses, your CEOs, sales people, creative types. This group loves to take risks and chart their own course and believe that rules don’t apply to them. And then you have everyone in between.
So, going back to why conventional SAT training can never be the solution is because we cannot provide people with “rules based” training and expect that everyone will abide by it. As we have just seen, there’s an entire group of people that don’t like to follow the rules. So immediately we have to rule them out.
Enter CYBERology™. Developed by Dr. James Norrie, a seasoned cyber security professional and professor at the York College in Pennsylvania, CYBERology™ cleverly blends psychology with cyber security to create a “Human” solution that gets to the bottom of this problem. Conducting years of research and thousands of hours of focus groups, Dr. Norrie identified that there are four distinct personality-risk types within every organization based on one’s tolerance towards risk and willingness and transparency towards adhering to sets of rules. All of the personality types are important and valuable to the organization, but all are also vulnerable in different ways.
Dr. Norrie’s real breakthrough came when he was able to correlate these four styles to various threat vectors with a 98% level of accuracy. This led to the birth of cyberconIQ, a set of tools for any organization to be able to identify the risk “DNA” of their people on a granular level making the human risk truly visible, measurable and manageable for the first time.
What are the results after implementing cyberconIQ? Clients have reported as much as 75% reduction in phishing test failure rates after 30 day retests, improved adoption of cyber security best practices, higher confidence levels when faced with threats and increased self-reporting of incidents. But, there was one more unexpected positive outcome which was that clients noticed individuals in their organization started to spread cyber security best practices with family members and friends. That’s a big step in the right direction.