According to Cisco, a whopping 31% of organisations have experienced a cyber attack. In fact, every 15 seconds an organisation suffers an attack!
Emails, bank details, customer records and personal data can be breached in an attack, with some carrying huge consequences. Organisations like Facebook, Marriott and Under Armour have suffered high-profile cyber attacks over the past year and governments aren’t immune either; just ask a host of government agencies.
In 2017, the average global cost of cybercrime was $11.7 million per organisation and the number of successful breaches per company each year has rise more than 27% from an average of 102 to 130. As businesses work tirelessly to build more complex technology and bigger firewalls to increase cyber security and improve resilience against attacks they often overlook their first line of defence: their employees.
Avoiding 90% of attacks
Experts believe that almost 90% of cyber attacks can be attributed to human error.
Yes, IT administrators can set poor permission controls, and users can create weak passwords which make them vulnerable to cyber attacks, but it’s the Keiths in the contact centres who become victims of phishing by clicking on fraudulent links, and the Sarahs in accounts who unwittingly transfer money to fraudsters after receiving the go ahead from their CEO’s spoofed email address.
So how can organisations educate their employees to help mitigate that 90% risk? Well, rather than simply providing people with information in the hope of improving awareness, understanding the science of human behaviour is a great opportunity to change people’s actions.
How can we influence people’s behaviour to benefit cyber security?
We are influenced by our environments and situations so context matters. Humans possess predictable biases such as heuristics (mental shortcuts) which lead us to make judgements quickly and efficiently and solve immediate problems. However, these can sometimes result in errors and bad decision-making, so it’s important to make it as easy as possible for people to do the right thing.
From applying the right default procedures to choosing the influencers around us, once we provide some helpful interventions, we start to see changes in the way people behave. Using some elements of our HUMANISTS checklist, we provide some evidence-based thought starters:
HEART – each person has their own set of attitudes and beliefs that influence their behaviour and we respond to emotions like disgust, guilt, fear, shame and pride. When researchers in Ghana wanted to increase handwashing, they noted that Ghanians used soap when they felt their hands were dirty after cooking or travelling. Rather than providing information to promote soap use, a TV ad campaign was aired to provoke emotions of disgust and as a result saw a 41% increase in handwashing before eating. This approach could be used to elicit emotions of guilt or worry around leaking important data through cyber security breaches to ensure people are vigilant in the workplace.
NORMS – there is strong evidence to suggest that organisational culture and social norms affect the likelihood of rule-breaking and people ignoring procedure. If we see others ignoring rules and norms, we may be tempted to follow and that can lead to bad habits forming. Deciding which people have the knowledge, trust and rapport with others to influence the desired behaviours and getting them to set the precedent can help to ensure others follow the rules. Think about framing communications around the idea that the majority of people are following procedure, as the norm, e.g. “96% of people in your department are following cyber security best practice… are you?”
SURROUNDINGS – physical and virtual reminders can be put in place to act as cues for preventing risky behaviours. Think about road safety signs; they influence how people act on the road and adhere to the highway code. Colours, markings and textures we keep seeing in day-to-day life can eventually enter our subconscious. Desktop wallpapers, screensavers or desk drops could therefore prove useful in encouraging good behaviours around cyber security.
TIMELY – reminders of key information can help to localise a change in behaviour. There’s lots of evidence showing that we won’t act on something if we’re not reminded to. Reminders can have huge impacts on things like savings, charitable donations and adherence to medical treatments. An example of this are reminders that blood donors receive urging them to book their next appointment. Small nudges like enabling a pop-up on someone’s computer screen when they’ve been inactive for a certain amount of time could serve as a reminder to lock their screen. Reminders like these can help to embed behaviours that are conducive with good cyber awareness.
We know that information alone does not guarantee behaviour change but the way in which it is conveyed or displayed can make the difference. Here are some essential comms tips:
BE BRAVE – daring to be different can help to make an impact with the workforce but may also help to put cyber risk at the top of the C-suite agenda.
BE SPECIFIC – people have different perceptions of what risk means. Ensuring comms around cyber security are specific will help people to understand what it means to them and the wider business and also make it easier to put into practice.
MAKE IT MEMORABLE – The UK Government has recently launched the ‘Take Five’ campaign, encouraging people to question suspicious emails, phone calls and text messages concerning their finances. The campaign uses bold colour to make it stand out and the rhyming tagline – ‘‘My money? My info? I don’t think so!” – helps to make the message stick in people’s minds.
Creating a sustainable and secure cyber culture can take time but small changes can make big differences. Combining comms best practice with the right contextual nudges can influence behaviours and help to increase cyber security awareness, mitigating risk to your business.
We’re helping several clients to inform, educate and use behavioural science to help employees be more cyber security aware. Several ways we can help:
- Providing insight into your current risk culture and levels of cyber security awareness and understanding
- Establishing a baseline and campaign goal setting (using our measurement framework)
- Campaign planning, including tailored messaging for those at highest level of risk in the organisation
- Creative concepts and ideas that grab attention, raise awareness and make this relevant to your employees
- Recommendations to educate employees about the importance of protecting themselves and their business
- Combining best practice internal comms with our expertise in behaviour science to influence cyber security behaviours and instil behaviour change in your business
Get in touch with Chloe Foy, our in-house human behaviour expert, to chat more about what we can do for you.