Organizational culture as the last line of defense in cybersecurity

Anna Collard, SVP Content Strategy & Evangelist KnowBe4 Africa.

Organizational culture and behavior change are crucial to supporting cybersecurity in organizations, according to Anna Collard, Senior Vice President of Content Strategy and Evangelist for KnowBe4 Africa.

Speaking at a webinar on cybersecurity awareness and culture in South Africa, Collard said there is room for improvement in cybersecurity culture and organizations need to focus on inspiring behavioral changes within their ranks.

Collard said ITWeb KnowBe4’s Cybersecurity Culture in South Africa survey found that cybersecurity culture is important to most respondents. In the study, 72% of respondents said they currently run a safety awareness and culture program, and 28% do not. Just over a third (35%) do not measure their safety culture program. Those who measure it primarily look at metrics such as phishing simulations and incidents reported by end users.

Half had experienced an increase in social engineering attacks over the past 12 months, and 55% said they were receiving more reports from targeted users on mobile phones and chat apps.

“This aligns with a larger survey conducted by Forrester two years ago, in which 94% of respondents said that security culture is good for business. But in this survey, we asked them how they would define security culture and we found that there are varying perceptions of what security culture means. Respondents’ views on what constitutes a security culture range from levels of compliance to user behavior and awareness to safety.”

Defining the safety culture remains a challenge, Collard said. “If our perceptions vary, it is very difficult to measure and monitor the safety culture.”

A survey of webinar attendees asked “How would you define safety culture?”. Respondents chose “Security Awareness and Understanding” (5%), “Level of Compliance” (2%), “People’s Sense of Security Responsibility and Accountability” (16%), “People’s attitudes towards security” (11%) and “All of the above (63%).

Collard said “all of the above” was actually the correct answer.

Awareness is not enough – people need to change their behavior and organizations need to equip employees to do the right thing,

Anna Collard, KnowBe4 Africa.

“There are seven accepted criteria for safety culture that can be measured: attitudes, behaviors, cognition, communication, compliance, standards and responsibilities,” she said.

In December/January, KnowBe4 conducted another survey of end users from eight African countries. The results, presented in the KnowBe4 Africa Cybersecurity and Awareness Report 2021found that in South Africa, 23% said they had been affected by cybercrime when working from home, but only 34% were very concerned about cybercrime.

Of those affected by cybercrime in Africa, 33% have been victims of social engineering, 13% have had accounts hacked, and 11% have reported viruses. In South Africa, 34% of those affected by cybercrime during the pandemic were victims of phishing and 17% had compromised accounts. Investment scams, bidding scams, online shopping scams, vishing and crypto account thefts have also been reported. 48% of respondents said they were aware of their security roles and responsibilities, 29% felt they had received adequate cybersecurity training, and 39% were confident they could recognize a security incident. However, many did not know what a ransomware attack or two-factor authentication was.

“Awareness is not enough – people need to change their behavior and organizations need to equip employees to do the right thing,” Collard said.

Security Behavior Change

“It’s really hard to change people’s behavior. As humans, we are lazy, social, creatures of habit, and we don’t really like change. We need behavioral interventions to move people from awareness to intention, to actually change their behavior,” Collard said. IT may be in charge of awareness and behavior change, but they may not have the knowledge to address the psychology of change.

“Most of us are in the sweet spot in terms of our attitude towards cybersecurity culture – we support policies and do the right things most of the time,” she said.

However, distractions can make it easier for people to fall for phishing emails, even if they are aware of the risks of phishing. KnowBe4 found that most people (53%) who clicked on phishing links were busy or multitasking at the time.

“One of the main reasons we fall into the trap of social engineering attacks is because we’re not present and we’re not in critical thinking mode. We have devices going off all the time, multiple meetings and family talking to us – this can cause us to lose focus Cognitive overload can cause mistakes.

“While most employees try to do the right thing in terms of cybersecurity, 15-20% of employees fall into the negligent zone, many are also in the reluctant zone, and less than 1% fall into the malicious zone” , she said. .

Collard said engaging and motivational programs are needed to drive behavior change in organizations.

Collard said:BJ Fogg, the “father of Behavior Design” asserts that behavior changes when three things happen at the same time: motivation, ability, and an incentive to perform the behavior. This can be applied in the world of cybersecurity making it personally interesting and relevant using leadership and social influencers, stories and emotions, the power of positivity, games and gamification. Content should be as easy to digest as possible, she added.

The “capability” component of behavior change includes tools such as instant training and realistic simulations, facilitating reporting and providing users with tools such as a password manager, home licenses for software security and education for children and the elderly at home.

Prompts or nudges should ideally be voluntary and not forced. “Find creative ways to insert nudges into the workday. If you’re working on your culture and behavior change programs, you need to focus on motivation, capabilities, and incentives,” he said. she declared.

About Donald J. Beadle

Check Also

Education Cybersecurity Market Analysis and Outlook to 2028 – Designer Women

“Overview of the cybersecurity in education market Latest Update: This has resulted in several changes. …