Last week, IBM and The Ponemon Institute released their annual Cost of a Data Breach Report. For the past 15 years, the report has highlighted recurring and emerging factors that contribute to the cost of data data breaches, as well as the root causes of those breaches. One of the key findings in this year’s report is the fact that human factored cyber attacks not only make up a large percentage of the all malicious attacks, but also are incredibly costly to businesses that suffered breaches. This only confirms the importance of cyber awareness training for employees to limit the risk of a human factored attack.
There are many different causes of a data breach, some of which are merely accidental. However, according to this year’s report, malicious attacks now make up 52% of all breaches. This didn’t used to be the case. In fact, malicious attacks have seen a 24% growth rate in just six years. Malicious attacks are also the most expensive, costing businesses an average of $4.27 million. That’s nearly $1 million more than all other causes of a breach.
Given the frequency and cost of malicious attacks, it’s important to look closer at the different threats that account for the rise in malicious attacks — and the data is surprising. While expected threats such as system vulnerabilities and malicious insiders are certainly present, human factored cyber attacks take up a large chunk of all malicious attacks. Threats ranging from phishing attacks, to business email compromise, to social engineering and cloud misconfigurations are all rooted in human rather than technical vulnerability, and account for 41% of all malicious attacks leading to data breaches. Indeed this report correlates with what was presented in the Verizion 2020 Data Breach Investigations Report.
Human factored cyber attacks aren’t something you can protect yourself against strictly through technically safeguards. Instead protecting against these vulnerability requires working with employees, establish proper quality control protocols, ensuring your have the right expertise on your team and using cyber awareness training to help build safer online habits.
As a Fortune 100 CISO once told me, “at the end of the day, every cyber incident starts with someone making a decision.”
One of the main tenants of behavior science is something called “operant conditioning.” It’s a fancy phrase for a concept that’s actually pretty simple: a behavior followed by a reward is more likely to be repeated than a behavior followed by a punishment. While this is a pretty common sense idea, when it comes to our own goals, we don’t often think this way. Instead, we’ve grown up with a myth that true success comes only with struggle and that our biggest opponent is ourselves. Instead of focusing on our wins, we focus on our loses and think that to get anything accomplished we have to be hard on ourselves. And how well does that usually work out?
In order to create new behaviors that you can actually sustain, you need to have positive reinforcement. In other words, if you set yourself a goal that is too difficult or takes too long to achieve, your focus will be on what you’re doing wrong and lead you to give up. Instead, it’s important build on goals that you can actually achieve and feel positive about. This isn’t to say you shouldn’t set big goals for yourself, but that in, order to get there, you first have to focus on the wins: the small, achievable goals that you can then build upon to make the changes you want for yourself.
This is a lesson that most cybersecurity training programs have yet to understand. Phish simulation programs often will often focus on the loses: when you click on a phish or don’t report it to your IT department. Instead, accountability with compassion is far more effective for driving long term behavior change, and training programs that reward positive behaviors rather than punish bad ones are more likely to help users achieve their goals.
Using positive reinforcement and focusing on the wins helps us build the skills and abilities that enable us to do great things. And, perhaps after we have accomplished the large goal we were after, we’ll realize that the actual goal was to just feel better about ourselves.
The good news: Many companies these days are using cybersecurity controls and security training for their employees. The bad news: A lot of these businesses are putting in the place the bare minimum in order to meet compliance requirements. The truth is, however, the you can be compliant but not secure. Remember the big Target breach in 2013? Hackers were able to take the debit and credit card information of millions are shoppers by accessing Target point-of-sale systems. The irony is that, just months before the attack, Target was certified PCI compliant. In the words of then-CEO Gregg Steinhafel, “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.” Simply put: Target was compliant but not secure.
Creating a Culture
If your security awareness program is a “check the box” compliance program, you can bet your employees are going through the same motions as you are. How has that improved your security posture? It hasn’t. Instead, creating a strong security program is first and foremost about creating a culture around security. And this has to start at the top, with your executive officers and your board. If business leaders set a security-focused tone, then employees will likely follow suit.
The reason a business can be compliant and not secure is because cybersecurity isn’t a one and done deal. Compliance is a state, cybersecurity is an ongoing process that involves the entire organization — from the boardroom to the cubicle. Verizon Data Breach Investigation Report shows that the human factor is the largest factor leading to breaches today. If that’s the case, perhaps instead of checking off the boxes and before investing in that new machine learning intrusion detection gizmo, consider focusing on human learning, engagement and the behaviors that can drive a mindful security culture.
When it comes to cybersecurity, our minds usually jump to complicated technical protections that only your IT department understands. And while these safeguards are certainly important, the truth is hackers are increasingly focusing on social engineering attacks to get into our networks. In fact, phishing attacks are now the number one cause of successful data breaches. Employees are therefore often the first line of defense against cyber attacks. That’s why more and more cybersecurity experts are emphasizing the importance of security training for employees. Business owners need to feel confident that their employees are developing online behaviors that keep the organization secure. The problem, however, is that traditional training programs aren’t always successful in achieving these behavior changes. This is, in part, because training programs too often use “gotcha!” methods when employees make a mistake, which only discourages employees instead of motivating them. Organizations should therefore focus on programs that use positive reinforcement in security training.
One popular form of cybersecurity training is phish simulation programs, where employees are spent emails designed to look like popular phishing scams. The problem, however, is that these programs always always rely on the gotcha method. When an employee clicks on a link in a fake phishing email, typically they will see a screen telling them they got caught and are then instructed to watch an informative video. The problem is that this approach causes the employee to associate negative emotions with the training and therefore reduces the likelihood of sustained behavior change. Simply put, this type of training creates a punitive environment that discourages the individual but doesn’t create meaningful change.
Instead, one study has shown that using positive reinforcement in security training actually produces safer, longer lasting online habits. Instead of punishing bad behavior, it’s actually more effective to focus on rewarding behavior you want to see, such as reporting phish: “By focusing on helping people feel successful, the campaign produced a positive result: a 30% reduction in overall phish susceptibility, and for individuals who had already been identified as habitual “phish clickers”, a reduction from 35% susceptivity to 0%.”
The key is the associate positive behaviors with positive feelings. It’s a small thing, but the impact could help businesses save a lot of time and money down the road.
Maybe the biggest misconception about forming new habits is that the biggest factor for success is the motivation to change. We often imagine that as long as we want to make a change in our lives, we have the power to do it. In fact, motivation is actually the least reliable element making behavior changes. The hard truth is that simply wanting to make a change is far from enough.
The reason? Motivation isn’t a static thing, it comes and goes in waves. It’s therefore tough to keep our motivation high enough to lead to lasting behavior change. Take the response to the COVID-19 pandemic, for example. When it appeared in the U.S, we were highly motivated to socially distance. As time went on, however, more and more people started to take risks and go out more. The reason isn’t because the dangers were any less present, but because our motivation to stay inside started to wane. The point is, if the sole component to any behavior change is motivation, once that motivation starts to diminish, so will the new habit.
Of course, we have to at some level want to make a change, but we also have to realize that it’s simply not enough. Instead, we need to rely more on starting with changes that requires the least amount of motivate necessary for it to occur. This is the idea behind BJ Fogg’s Tiny Habits that we wrote about last week. If you want to start reading more, it might be tempting to try reading a chapter or two every day. But more often than not, you’re not going to be motivated to keep that up for long. Instead, if your goal is just to read one paragraph of a day a couple times a day, you’re far more likely to keep up the new habit. Then, over time, you’ll find you need less motivation to read more and more, until you don’t even think about it any more.
This can be a hard pill to swallow. We like to believe that we can do anything we set our minds to, and it’s a little disheartening to think we don’t have as much control over our motivation as we might prefer. When looked at from a different angle, however, understanding this fact allows us to focus on what we can control: setting achievable goals and rewarding ourselves when we met them. Focusing on that rather than our inability to keep our motivation high will lead to more successful behavior change.
When you want to form a new habit or learn something new, you may think the best way to start is to dedicate as much time and energy as you can to it. If you want a learn new language, for example, you may think that spending a couple of hours every day doing vocab drills will help you learn faster. Well, according to behavioral scientist BJ Fogg, you might be taking the wrong approach. Instead, it’s better to focus on what Fogg calls tiny habits: small, easy to accomplish actions that keep you engaged without overwhelming you.
Sure, if you study Spanish for three hours a day you may learn at a fast rate. The problem, however, is that too often we try to do too much too soon. By setting unrealistic goals or expecting too much from ourselves, new habits can be hard to maintain. Instead, if you only spend five minutes a day, chances are you will be able to sustain and grow the habit over a longer period of time and have a better chance of retaining what you’ve learned.
The Keys To Success
According to Fogg, in order to create lasting behavior change, three elements come together at the same moment need to come together:
Motivation: You have to want to make a change.
Ability: The new habit has to be achievable.
Prompt: There needs to be some notification or reminder that tells you its time to do the behavior.
Creating and sustaining new habits requires all three of these elements to be successful — with any element missing, your new behavior won’t occur. For example, if you want go for a 5 mile run, you’re going to need a lot of motivation to do it. But if you set smaller, easy to achieve goals — like running for 5 minutes — you only need a littlemotivation to do the new behavior.
The other key factor is to help yourself feel successful. Spending 2 minutes reviewing Spanish tenses may not feel like a big accomplishment, but by celebrating every little win you will reinforce your motivation to continue.
The Future of Cyber Awareness
Tiny habits can not only help people learn a new language or start flossing, it can also play an important role in forming safer, more conscious online practices. Our cyber awareness training program, The PhishMarket™, is designed with these exact principles in mind. The program combines two elements, both based on Fogg’s model:
Phish Simulations: Using phish simulations help expose people to different forms of phish attacks, and motivates them to be more alert when looking at their inbox. While most programs scold or punish users who fall for a phish, The PhishMarket™ instead uses positive reinforcement to encourage users to keep going.
Micro-Lessons: Unlike most training programs that just send you informative videos and infographics, The PhishMarket™ exclusively uses short, interactive lessons that engage users and encourage them to participate and discuss what they’ve learned. By keeping the lessons short, users only need to dedicate a few minutes a day and aren’t inundated with a barrage of information all at once.
Creating smart and safe online habits is vital to our world today. But traditional training techniques are too often boring, inconsistent, and end up feeling like a chore. Instead, we believe the best way to help people make meaningful changes in their online behavior is to focus on the small things. By leveraging Fogg’s tiny habits model, The PhishMarket™ has successfully helped users feel more confident in their ability to spot phish and disinformation.