Insanity is doing the same thing over and over again and expecting different results…
When I began this journey as a Cyber Psychologist, helping people manage their human factors risk posture, I had to educate people as to why it’s not just about technology but how important it is to have a socio-technical approach. Of course, there were always one or two healthy debates, and I have heard some interesting responses, but these were some of the most common statements which I will share with you:
Statement 1: If the appropriate Technology is in place, then we don’t need awareness initiatives…
- My response: who controls the technology and access and who decides the most appropriate technology? Who is responsible for acting responsibly in the interests of the company they work for when managing employee data? What happens data that is not in a system but in our long-term memories and experiences? So often I hear how Technology is both a facilitator but also a barrier for business.Much of the behavioural analysis I have done has been in the financial sector, where specific teams are responsible for providing VIP services to a select number of clients but are frustrated daily how they can’t provide that service due to technology barriers, such as encryption tools when trying to share information between the customer and the customer services agent.In addition, employee feedback for these same companies, as well as others, has shown they perceive security training and awareness to be a distraction and something that takes them away from the tasks they believe to be an important part of their job. This is especially the case when training materials and modules, such as in computer-based training, is not fit for purpose in that it doesn’t reflect their own reality in terms of language style, security threats that are most present in their real environments and seem patronising or irrelevant.Finally, I would also say that if the only approach to managing human factors is Technology then we have to accept that the likely way forward into the future is through surveillance and employee monitoring in a way that may violate personal privacy, which is counterproductive to creating a positive security culture.
Statement 2: We don’t need an insider threat programme or initiative as we are open source, have nothing to steal, and trust our employees. And we have never had an incident…
- My response: Whether your business is large or small, you have intellectual property. Large enterprises can lose billions and solo traders can go bankrupt overnight, just from one rogue employee. Trusting your employees is critical to creating a positive security culture, and building loyalty and commitment will be your best vaccine against external and internal security threats, but it only takes one…Would you employ someone into a teaching role in a school that had a criminal record in abusing children? Similarly, why not try to understand the security values and intentions of your employees right from the recruitment and selection stage and routinely once onboarded, as you would with an HR annual survey? In addition, gathering intelligence at department level will help you to see where the vulnerabilities lie, and give you the best chance of achieving security engagement and preventing insider attacks. Finally, just because it hasn’t happened, doesn’t mean it won’t, and similarly, if you have been victim of an attack, doesn’t make you immune, especially if you don’t understand the motivators and triggers of that attack.
Statement 3: We have awareness initiatives and give our employees training. We have ticked the ISO2701 and SOC box and so nothing more required.
- My response: While these requirements are there to protect you, they are short-sighted. It’s a bit like buying a pair of glasses in the supermarket without knowing if they are the right prescription for you. In most cases, this will just cost you money and give you a terrible headache. Gather the intelligence first before prescribing the solution. It will save you a lot of money. Imagine if the whole world was given anti-depressants just in case one or two needed them? A generic ‘one size fits all’ approach works on critical assumptions that costs companies millions and provides little return on investment. The point is to target vulnerable groups and consider organisational, psychological, cultural, physical, and economic factors.
The time has come to focus less on awareness and training and education, and more on engagement. Are your employees engaged with the company’s values? Are they engaged with protecting the organisation from harm? What percentage of your organisation have an intention to leave the company? Do they have the motivation to go beyond the call of duty and protect the organisation from security threat? If you don’t know the answer to these questions, then you need to ask why.
Statement 4: The most common one I hear these days from very busy people who are focused on the day-to-day job and don’t have time to think outside the box at more people-focused solutions often tell me they love reading my articles but are very busy on current projects but get in touch later in the year…
- My response: Of course, I am always supportive. But what am I thinking? Firstly, later this year may be far too late. Secondly, if you don’t have time to go beyond the day-to-day workload then how can you expect your employees to engage with the training and awareness initiatives and become security champions or ambassadors? If you haven’t got the resource, capability, or motivation to do something outside of the box, and you are the role model for your organisation, then it’s time for a rethink. You need to understand where your holes in the floor are and how to fill them, before you start wasting employees’ precious time.I then ask them if they have ever used HR data, or psychological metrics to have a better understanding of their human risk posture? The answer is almost always ‘no’. I then ask, ‘would you if you could’? 🤷♀️ ‘Yes!’, and then along of the lines of ‘but right now we are creating some nice little videos that employees think are fun and our budget is maxed out!’. Another one bites the dust…
Remember…
- Intelligence first, solutions later
- If it can happen, it will, sooner or later
- If you’re too busy to face reality, so are your employees, so give as good as you get
- Just because you throw money at solutions and it looks pretty, doesn’t mean it will have the desired long-term impact
- Methods based in cyberpsychology can help you to measure and validate your assumptions, saving you time and money
- If you think you have it all covered, you most definitely don’t…
