Cyber security awareness isn’t enough anymore: Build a security-first culture instead
October is Cyber Security Awareness Month. A time when we run awareness campaigns, remind people of the importance of password hygiene and ask them not to click on anything that looks suspicious.
But despite all this, human error still remains the most common cause of breaches and has been so for years. A recent Kaseya survey found that, for 89% of IT professionals, poor user behaviour or lack of training is the main cybersecurity hurdle in 2024.
Everyone knows that a weak password like “12345” is unsafe and that you shouldn’t use the same password across all your accounts. But knowing best practices and practising them are two different things. Alarmingly, people even use weak passwords for key entry points to critical systems such as VPNs.
This situation is only going to get worse with cyber criminals increasingly using AI to create convincing phishing emails, malware and even deepfakes.
The days when you get a phishing email with bad grammar and spelling are probably over. Today’s AI-enabled phishing scams can look and feel highly credible, making it challenging for anyone—no matter their security knowledge—to identify scams.
So given that, let’s focus on what can drive behavioural changes in employees this October.
Building a security culture is the way to go
Yes, cybersecurity awareness is essential. But beyond that, how do you ensure security best practices are followed consistently by everyone?
Simon du Plessis, IT Commercial Director at CloudClevr, says this starts by building a security-first mindset in your organisation.
It means upholding security best practices is not considered a chore, but rather becomes a part of your organisation’s culture where everyone contributes and participates in keeping themselves and the business protected.
This also means instilling a culture of vigilance in your organisation. Security frameworks like Zero Trust, where nothing and no one is trusted by default, can help. The mantra should always be to verify first.
Employees need to be trained to double-check and independently verify communications, even if they seem legitimate before acting on it. For example, when you get an email from an external source, do they click on the link immediately or pause to verify if it’s from a legitimate source?
Phishing is still the most common form of cyberattack. You may have filtering tools to block such emails out, but some may still slip through, so ultimately, it’s the ‘verify first’ mindset that’ll help you save from falling into the trap.
For instance, one of our clients recently fell into a social engineering scam where threat actors sent requests to make changes to their banking account information. Had there been procedures in place to verify the authenticity of the request, such as contacting the bank directly, the scam could have been prevented.
Breaking the password habits
People are creatures of habit, and that shows up in our approach to passwords too. When we have dozens of applications to log into, asking us to remember unique passwords for each can feel like a big ask.
But you don’t have to memorise them all. Password managers like LastPass, Keeper, and NordPass can do that work for you. They securely store your passwords on your phone or computer, giving you that extra layer of protection without the hassle of remembering everything.
So, what makes a good password these days? The best approach is a passphrase – a series of random words (like CatThreeStair) with some capital letters and special characters mixed in. And when it comes to passwords, the longer, the better.
Make security training engaging – Not just a box to check off
By no means don’t stop delivering security training campaigns. But think about how you can drive a change in user behaviour with this training and make it interesting too.
Do you expect your employees to complete a security questionnaire annually? If yes, this might end up being a tick-box exercise, where no one ends up benefitting. Chances are they pressed a few buttons just to show they completed the training.
So how can you improve the way you deliver security training? Simulations are a great start. For example, help people familiarise themselves with real-world threats through phishing simulation exercises and monitor the progress.
And make the process fun. No one said cyber security training has to be boring.
If someone reports a suspicious email, recognise them for it. We’ve seen instances where businesses made a fun game out of this training, by doing phishing tests and creating a leaderboard and rewarding those with gift cards who reported it first.
Make cybersecurity a habit for your people. That comes only when they do it regularly, not when you ask them to complete an online assessment once a year.
Equally important is how you respond to a cyber attack
No one is 100% unbreachable. A mistake can happen to anyone. It’s getting increasingly harder to differentiate a phishing email so on a bad day you might click on a malicious link.
What’s important is how quickly the issue is reported and managed. Reporting a phishing attempt to your IT department as soon as it occurs can go a long way in reducing the damage caused by cyber-attacks.
The security mindset we spoke of earlier is not just about teaching people not to click the wrong links, it’s also about informing the right people at the right time if you suspect you’ve been phished. It’s about giving users the confidence to report an incident when a breach happens.
Start tracking how many people report potential phishing attempts or suspicious activities. This data can serve as a valuable metric for measuring the effectiveness of your cybersecurity awareness efforts.
5 cyber security tips you can start practising today
While instilling a ‘security-first’ culture is a long-term strategy, here are a few tips that you can adopt right away to stay safe online.
- Be mindful of what you share with third-party applications. If they get breached, your sensitive information is also at risk.
- Avoid public Wi-Fi: It’s often insecure, and attackers can exploit it to steal data. Tether your mobile phone’s internet if you need to access sensitive information.
- Practice strong password hygiene: Use a password manager to avoid reusing passwords or relying on weak ones without having to memorise it all.
- Don’t forget Multi-Factor Authentication: An easy way to add extra security and avoid being a soft target.
- Report suspected breaches immediately: If you think you’ve been hacked, disconnect from the internet and notify your IT team straight away!
Building a cybersecurity culture goes beyond once-a-year training; it’s about creating habits and routines that encourage everyone to stay vigilant, every day.
