Guest Post by Dr. Timothy P. Shea
While the way that companies communicate with their employees seems to be adequate, the content is either not thorough enough or not retained well enough to create long-term behavior change needed to prevent many cyber hacks. These vulnerabilities pose a major risk to companies today. The survey is the basis of a new employee cyber readiness diagnostic tool that companies can use to determine their own level of risk.
The question is not whether cyber security is an important, even critical issue in business today. Juniper research, in 2015, declared that the cost of data breaches [will increase] to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015. Perhaps surprisingly, the biggest problem in cybersecurity is outside the walls of IT. Over 50% of the cyber security problem is due to social engineering — people, not machines. Security Intelligence claims as much as 95% is due to human error.
Steve and I, through the University of Massachusetts Dartmouth Business and Innovation Research Center (BIRC), recently completed a survey – the UMass Dartmouth Threat Readiness Survey – to examine the attitudes and opinions of employees concerning their ability to be an effective “human firewall”. In conjunction with AYTM market research, the data set has 1,000 usable respondents, all from the United States, balanced by gender, age, income, ethnicity, education, and location.
The most compelling results of the survey is the difference between perceived company policies regarding overall awareness – as demonstrated through a variety of company communications, training, etc. – and the knowledge needed to implement the required day-to-day cyber-behaviors of company employees.
The “human firewall” is made up of both “knowing” and “doing” – awareness and action. The survey took a look at both parts of the equation. One section asked about the type of communication the employee’s company conducted around cyber-security awareness. How well do employees perceive their companies are doing in terms of their company’s cyber security? The scores are pretty good, around 70% agree, in terms of: making company cyber security policies clear, senior leadership expectations, encouragement to work as a team, easy access to support and guidance and a process for reporting actual or suspected security breaches.
The results follow:
Q1: How much do you agree/disagree with the following statements in regards to your company’s cyber security? (Percent Strongly Agree or Agree in parentheses).
1. Your employer has ensured that you have read the company’s cyber security policies and has made it clear what is expected of you (73%)
2. Your Company’s senior leadership communicates with everyone about expectations for cyber safety practices (69%)
3. As an expressed company value, your employer encourages you and your coworkers to work together as a team to protect against cyber security risks (70%)
4. Your Company encourages you to help and remind other workers of cyber safety best practices (69%)
5. Your company provides easy access to support and guidance to cyber safety questions when they arise (70%)
6. Your Company has a clearly defined process for reporting actual or suspected security breaches (70%)
While not great, these results are not too bad. Almost three out of four companies are getting the word out – awareness, or “knowing”. Employees are aware of the problem and aware that the company is supporting the effort – at least at a high level.
The positive results are supported when looking at the nature of the company communications. Most companies have come a long way from simply posting a memo on the bulletin board near the coffee machine. For example:
- Two out of three companies (64%) communicate about cyber security at least every quarter.
- Seventy-four percent communicate by email, which is expected. However, in addition, 73% of companies still take the time and expense to communicate face-to-face – either in a group setting (41%) or individually (31%). Tangible items – such as posters, pens and mugs – are used 21% of the time. Social media is only used 16% of the time.
- The general trend towards shorter company communications is also supported here. While 39% of the communications take over 30 minutes to read or view, 41% take 14 minutes or less.
- Finally, the company communications are well done. Sixty-five percent of “company cyber safety communications are memorable, engaging and easy to follow”.
The second part of the equation is how well employees are prepared for specific responses to cyber-threats – that is, “Doing”. Do employees feel they agree whether they have adequate cyber safety communications on how to handle specific, common, potential security breaches? This is where the larger gap appears. Employees were asked if they agreed they had enough information to handle challenges such as: password management, detecting and handling suspicious emails, the use of USB sticks at work, giving out sensitive information over the phone, connecting personal devices to the company network, what is Personal Identifiable Information, and cyber security when traveling or working remotely. The best result, at 64%, means over one-third of the respondents did NOT agree. On average, only one out of two answered in the positive across these questions – only 50%!
The results follow:
Q2: Which of the following activities does your company provide cyber safety communications for:
- Providing strong requirements on password composition and regular password changing (64%)
2. Understanding what is considered Personal Identifiable Information and how to keep it confidential (55%)
3. Protecting sensitive information when traveling or working remotely (49%)
4. Connecting personal devices to the company network (46%)
5. Detecting and handling emails that you suspect are false (63%)
6. Giving out sensitive information over the phone (46%)
7. Recognizing warning signs if other workers’ behavior seems suspicious (40%)
8. Leaving your computer where sensitive information could be seen or the computer could be stolen (54%)
9. Using external machines or USB sticks at work (40%)
Again, almost one out of two respondents stated that they do not feel prepared to handle common activities related to cyber-security. The findings, more specifically the risks identified are eye-opening – but perhaps not surprising. Getting into the weeds, providing training and regular communications about specific cyber behavior to the point where behavior is impacted across a company is challenging. There is evidence that a number of companies practice “phishing” simulations but, as the results suggest, there is much more to do.
So, what is next? How do we win the cyber-security war on the human front? How do we strengthen the “human firewall”? Three significant pieces remain.
- First, at the organization level, the survey and results will soon be refined into a risk assessment tool, one that can support a company as it both identifies its level of risk and moves through an Employee Cyber Threat Maturity Model.
- Secondly, additional data needs to be collected and analyzed to help drill down on the results. For example, there are indications that women employees are better at handling cyber-securities activities on a day-to-day basis. The data also suggests that the lowest and highest educated employees are more effective in handling cyber-security. If confirmed, companies can better focus their cyber-security training resources.
- Thirdly, at the individual level, more sophisticated means of communication and training are needed to facilitate behavior change, not just awareness. Here, the research team is expanding to include ThreatReady Resources – a company expert in more advanced training techniques that impact behavior and corporate culture.
The stakes are too high. Risky cyber behavior at work, to be succinct, can cause significant damage to a company. The UMass Employee Cyber Threat Readiness survey has shone a bright light on the high level of risk around still to be addressed in today’s workforce. We are now aware – we know the size of the problem. What is left, for companies as well as each of us, is to be more vigilant in our cyber activates – to “do” the right thing. Today, we all need to become fully aware of the cyber threat as well as learn how to practice “safe cyber” every day.