Building a Culture of Cybersecurity: Why Awareness and Training Matter

By Sithembile (Nkosi) Songo, Chief Information Security Officer, ESKOM 

According to the Ultimate List of Cybersecurity Statistics, 98% of cyber attacks rely on social engineering. Social engineering and phishing attacks tactics keep on evolving and targeting a diversified audience form executives to normal employees. Advanced phishing attacks that can be launched using GEN AI. There is also a shift in motivation behind these attacks, such as financial gain, curiosity or data theft.  

Recent attacks have shown that cyber criminals continue to use various social engineering tricks, exploiting human weaknesses. Attackers are evolving from only exploiting technology vulnerabilities such as using automated exploits to initiate fraudulent transactions, steal data, install malware and engage in other malicious activities. 

Furthermore, it is a well-documented fact that people are deemed to be the weakest link in the cybersecurity chain. Traditional security controls put more focus on the technical vulnerabilities as opposed to the human related vulnerabilities. Threat actors are transitioning from traditional system and or technology related cyber-attacks to human based attacks. The cyber criminals have identified and are now taking advantage of uninformed or untrained workforce by exploiting the human related vulnerabilities. 

Employees often make it too easy by posting a huge amount of information about themselves, including daily status, activities, hobbies, travel schedule and their network of family and friends.   Even small snippets of information can be aggregated together. Bad guys can build an entire record on their targets.  Employees, especially those that are targeted, should limit what they post.  Bad guys leverage on other weaknesses, such as the improper destruction of information through dumpster diving and unencrypted data. The three most common delivery methods are email attachments, websites and USB removable media. 

Properly implemented USB policies and trained users can identify, stop and report phishing attacks.  Well-educated workforces on all the different methods of social engineering attacks are more likely to identify and stop the delivery of these attacks. 

While malicious breaches are the most common, inadvertent breaches from human error and system glitches are still the root cause for most of the data breaches studied in the report. Human error as a root cause of a breach includes “inadvertent insiders” who may be compromised by phishing attacks or have their devices infected or lost/stolen 

Entrenching a security conscious culture is therefore extremely important in today’s digital age. Cyber awareness is of utmost importance in today’s digital age.  

What is “Security Culture”?  

Security culture is the set of values shared by all the employees in an organization, which determine how people are expected to perceive and approach security. It is the ideas, customs and social behaviours of an organization that influence its security. Security culture is the most crucial element in an organization’s security strategy as it is fundamental to its ability to protect information, data and employee and customer privacy.

Perception about cybersecurity has a direct impact to the security culture. It could be either positive or negative. It’s deemed to be positive if information security is seen as a business enabler and viewed as a shared responsibility instead of becoming the CISO’s sole responsibility. On other hand it’s perceived negatively if security viewed a hindrance or a showstopper to business or production.

A sustainable security culture requires care and feeding. It is not something that develops naturally, it requires nurturing,  relevant investments. It is bigger than just ad-hoc events. When a security culture is sustainable, it transforms security from ad-hoc events into a lifecycle that generates security returns forever. Security culture determines what happens with security when people are on their own. Do they make the right choices when faced with whether to click on a link? Do they know the steps that must be performed to ensure that a new product or offering is secure throughout the development life cycle. 

Security culture should be engaging and delivering value because people are always keen to participate in a security culture that is co-created and enjoyable.  Furthermore, for people to invest their time and effort, they need to understand what they will get in return. In other words, it should provide a return on investment, such as improving a business solution, mitigating risks associated with cyber breaches.  

Culture change can either be driven from the top or be a bottom-up approach, depending on the composition and culture of the organization. A bottom-up approach rollout allows engaged parties to feel they are defining the way forward rather than participating in a large prescriptive corporate program, while support from the top helps to validate the change, regardless of how it is delivered.  

In particular, a top-down mandate helps to break down barriers between various business functions, information security, information technology, development team, operations, as well as being one of the few ways to reach beyond the technical teams and extend throughout the business.

Organizations that have a Strong Cybersecurity culture have the following:  

• Senior leadership support from Board and Exco that echo the importance of cybersecurity within the organization. 
• Defined a security awareness strategy and programme, including the Key Performance Indicators (KPIs). 
• Targeted awareness campaigns which segment staff based on risk. Grouping users by risk allows for messages and the frequency of messages to be tailored to the user group.  
• A cybersecurity champion programme which allows for a group of users embedded in the organization to drive the security message. 
• Usage of various of mediums to accommodate different types of people who learn differently. 
• Employees are always encouraged to report cybersecurity incidents and they know where and how and to report incidents. 
• Creating an organizational culture where people are encouraged to report mistakes could be the difference between containing a cyber incident or not. 
• Measurements to test effectiveness: This is often done with phishing simulations.  
• Employees have a clear understanding of what acceptable vs what is not acceptable.  
• Information security becomes a shared responsibility instead of  CISO’s sole responsibility. 

The below image depicts percentage of adopted awareness capabilities 

Security architecture principles such as Defence in Depth, the failure of a single component of the security architecture should not compromise the security of the entire system. A defense-in-depth mechanism should be applied to mitigate phishing related risks.

This approach applies security in different layers of protection, which implies that if one control fails the next layers of controls will be able to block or stop the phishing attack. The controls involve a combination of people, processes and technologies. 

User behavior analytics (UBA) should be used to augment the awareness programme by detecting insider threats, targeted attacks, and financial fraud and track users’ activities. Advanced our phishing attack simulations by using GEN AI based simulations should also be conducted to combat advanced phishing attacks. 

Possible Measurements 

There are several measures that can be applied to measure the level of a  security conscious culture: 

• Employees attitudes towards security protocols and issues. 
• Behaviour and actions of employees that have direct and indirect  security implications. 
• Employees understanding, knowledge and awareness of security issues and activities. 
• How communication channels promote a sense of belonging and offer support related to security issues and incident reporting. 
• Employee knowledge, support and compliance to security policies, standards and procedures. 
• Knowledge and adherence to unwritten rules of conduct related to security. 
• How employees perceive their responsibilities as a critical success factor in mitigating cyber risks. 

Conclusion 

According to Gartner, by 2025, 40% of cybersecurity programs will deploy socio-behavioural principles (such as nudge techniques ) to influence security culture across the organization.  

Recent human based cyber-attacks, together AI enabled phishing attacks, make it imperative to tighten human based controls. Promoting a security conscious culture will play a fundamental role in transforming people from being the weakest into the strongest link in the cybersecurity chain. 

Building a cybersecurity culture is crucial because it ensures that everyone understands the importance of cybersecurity, adherence to the relevant information security policies and procedures, increase the level of vigilance and mitigate risks associated with data breaches. Furthermore a strong cybersecurity culture fosters better collaboration, accountability and improved security maturity.

Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything.