Elevating cyber awareness within organisations

Deloitte’s 2021 Future of Cyber Survey, a study of nearly 600 C-suite executives globally, shows that cyber risks are prevalent. In fact, 98% of US executives — and 84% of executives in the rest of the world (ROW) — say that their organisation has experienced one or more cyber incidents in the past year. 

Among the top cyberthreats that concern executives are the “unintended actions of well-meaning employees” (US: 28%; ROW: 16%). These actions may make organisations more susceptible to ransomware attacks, phishing scams, and malware penetration. The data highlights that the C-suite is worried about cyber hygiene and culture, which have direct ties to cyber awareness in an organisation.

The state of cyber awareness and training

Businesses of all sizes today have adopted multi-dimensional cyber-awareness training models and tools, and the need for cybersecurity and cyber awareness has increasingly become established within the organisational gene. Large-scale programmes — including tailored awareness sessions, quizzes, gamification, and simulation training — are often regularly conducted within organisations. 

However, organisations often measure their cyber awareness maturity based on what was a poor state of awareness in the past. This is an inadequate benchmark, as the march toward true maturity, by industry standards, is based on the time, money, and resources that organisations devote to cyber awareness — and on progress made through prioritisation.

Some recommendations for cybersecurity awareness and effectiveness measurement include:

• Keep it simple: Trainers running cybersecurity awareness programmes within your organisation should be able to explain cybersecurity concepts in the simplest manner possible. Whether explaining phishing, vishing, whaling, or ransomware attacks, if trainers can establish “trust but verify” conceptually, they have made a mark.
• Relate to your recipients: One of the major reasons for cybersecurity awareness failures within organisations is developing programmes in silos, where they’re not directly linked to business outcomes and not embedded in the business. These programmes typically impart more theoretical knowledge, rather than cover the practical repercussions of information security incidents and their ability to hamper business — which are crucial elements of awareness campaigns. Hence, establishing a link between the business and its cybersecurity requirements is important. Employees should understand: What does the data mean to me and to our business? Why should I protect the data? What could be the potential legal and regulatory consequences of not safeguarding it? How should I protect the data? If the trainers are able to effectively change the message around security, so it’s more relevant to individuals and tied to business outcomes, it is likely to create long-term value for both teams, as well as the organisation overall. 
• Measure training effectiveness: A process that cannot be measured is not trustworthy. So, it’s important to develop and track key performance indicators (KPIs) related to the effectiveness of cybersecurity awareness. Some of the questions that organisations may consider include: 
  • What percent of our workforce is trained on cybersecurity awareness?
  • Was there a reduction in information security incidents after cybersecurity awareness training?
  • How many cyber incidents are reported by our employees, contractors, vendors, partners, etc. even before technology/analytics report them?
  • Has the average time to resolve cybersecurity incidents been reduced post-training?
  • Would refining the processes to measure the effectiveness of our cybersecurity awareness, in turn, also enhance organisational security capabilities? 
• Be ready for incidents: In the ever-evolving world of cyber, it’s unrealistic to imagine an ideal system without incidents. Rather, organisations should strive to create a robust system that can sustain them and continue value delivery, while also proactively addressing and preventing risk. Resilience plays a crucial role for any business to thrive.
• See the “big picture”: Cybersecurity awareness must encompass incident management processes and procedures, along with business continuity, to ensure organisations and their employees understand the bigger picture and where they fit in the value chain. 
• Evolve with industry dynamics: The business environment is dynamic and so is the nature of security around it. As requirements evolve for businesses and security, embracing this change is imperative. The way we safeguard our data today might be irrelevant tomorrow, and the day after could bring altogether new regulatory and compliance requirements. The idea is to keep pace with the changing internal and external political, environmental, social, technological, legal, and economic factors. The C-suite should have an eye for detail and embed that into the value chain.

Addressing risk by empowering people
Cybersecurity and cyber awareness training is a journey of evolution. People are an integral part of it, and our behaviour dictates how the data that we relate to is protected. 

Author

Runa Dalal | Director | emailto:rudalal@deloitte.com