The human firewall

Issue 2 2022 Training & Education, Security Services & Risk Management

Cybersecurity is now battling a human problem just as much, if not more than a technical one. According to Verizon’s 2021 Data Breach Security Report, 85% of successful cyberattacks now involve a human element. Combine that with the fact that even the very best technology can only thwart about 93% of attacks and that leaves a large hole in an organisation’s basic security hygiene. A gap where employees are relied on to make split decisions and failure to choose correctly puts disaster just a click away.

With cybercrime now estimated to cost more than 6 trillion USD annually, the adoption of cybersecurity training is no longer optional. In fact, a growing number of new regulations now require many businesses to add ongoing education to their security programmes, causing a boom in so-called 'awareness training' programmes.

However, security officers say these generic, one-size-fits-all training systems often fall short, particularly as it relates to delivering a change in online employee behaviour. Without this proof point, what is the true ROI of security training?

“Current training programmes are very one-dimensional because they don’t take the human element into account,” says Marc Leckman, director of IT for Wesdome, a Canadian gold mining company with about 500 users, often in remote locations. “You can’t truly solve the problem unless you account for the fact that people react differently to the same type of threat.”


Challenges in security training

“The weakest link is always people; what I call the ‘human firewall’,” stated Kin Lee-Yow, CIO of the Canadian Automobile Association Club Group (CAA), one of the country’s largest not-for-profit associations. As such, they have thousands of employees across the country, including those in retail stores, call centres, corporate offices and accounting; any of which could be an entry point resulting in a serious breach. “We’ve been focusing on how we increase the level of awareness and education for a while now.”

This 'last mile' frustrates even the most vigilant of organisations. In fact, while this 7% to 15% typical firewall gap may seem small, it leaves a 100% statistical probability that every employee will eventually come across some form of novel threat – be it in an email, chat or weblink. They will not only need to identify it as such but be properly trained on how to best act upon it.

This presents a need for security professionals to further buttress their efforts at embedding a sustainable security-aware culture among employees. This has led to a growing demand for ongoing educational programmes that rely on behavioural science to measure and manage cybersecurity risk as a distinctly different solution from generic, one-size-fits-all training programmes. Instead of just putting a check in the training box, these programs focus on training the right person at the right time about their specific risk profile to generate and sustain a change in behaviour.

It wasn’t until Lee-Yow discovered this new breed of cyber-training that he realised the issue was solvable. By utilising machine learning to develop a customised approach for each employee, CAA Club Group could then correct key motivating factors that drive underlying online employee behaviour. This greatly reduced the chances of an employee becoming the victim of a cyberattack that could devastate a company’s reputation, not to mention its bottom line.

Changing behaviour, increasing mindfulness

“We are now attacking it from a completely different angle,” says Leckman. “Beginning with the personalised risk assessment provided by cyberconIQ and their accompanying dashboard, we can ascertain the risk makeup of our employees and strategically plan our next investments based on those results.”

CyberconIQ pioneered the merging of psychology and technology to measure and manage cybersecurity risk. The company’s assessment, training and education have proven to reduce the risk of a successful attack by 45% to 90%. This creates a measurable ROI on security executives’ training expenditures.

“I liked the fact that every employee is given a 40-question assessment, kind of like a Myers-Briggs personality test,” says Lee-Yow. “This gave us a tool that assessed every individual from their own risk standpoint and from there we could show them how to better protect themselves. And going one step further, how to create good online habits.”

Lee-Yow concedes that good habits are not formed overnight, which is another reason he has found the ongoing education – which includes delivering new materials regularly – and simulation drills to be an effective departure from generic training programmes he has used in the past.

“We can actually measure improvement,” says Lee-Yow. “For example, we conduct regular phishing tests and if someone fails, we can follow that up with a programme that reinforces and rejuvenates that employee on best practices.”

CAA Club Group has been using the education assessment and training programme for over a year now and Lee-Yow has been pleased by the results.

Cybersecurity ROI

Wesdome, on the other hand, is still in the early stages of its personalised cyber-training journey. Leckman was looking for a consulting partner who could first help him determine his existing corporate risk profile. After this assessment was complete, he was able to demonstrate to his executive peers and the company’s board of directors that improving their cybersecurity practices was critical.

“From a director standpoint, breaking down the results of that assessment showed me where we were at a higher risk, where we had lower risk and where our budget was best spent,” explains Leckman.

This ability to measure risk-adjusted ROI on improvements in maturity is compelling for those who control budgets and spending, ensuring cybersecurity improvements are targeted appropriately for additional funding. For Wesdome, the key was finding something that was going to deliver a return on their investment. Not in the form of an immediate payback, but instead from the long-term opportunity costs associated with reducing the threats to which they are exposed.

As part of that, both Leckman and Wesdome have decided to further enhance security measures and thus lower their risk profile, by utilising cyberconIQ’s risk advisory team.

“When the massive amount of costs, compliance and other aspects of an attack are taken into account, it is obvious that personalised intervention is what the industry needs,” concludes Lee-Yow.

Time is of the essence on addressing these matters given the constant escalation of new threats and new techniques being deployed to hack and attack organisations globally.

Given the huge global shift in working and learning remotely, combatting situational distractedness should now be a critical component of any security awareness training. Knowing what to do to avoid risk and successfully applying that tactic when an actual threat appears is the key to keeping an organisation and its employees safer online.

“We are all human. We all make mistakes,” Lee-Yow said. “However, we believe that mistakes can be greatly minimised with the proper employee education and effective follow-up.”

Find out more at https://cyberconiq.com/




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

The deepfake crisis is here and now
Information Security Training & Education
Deepfakes are a growing cybersecurity threat that blur the line between reality and fiction. These AI-generated synthetic media have evolved from technological curiosities to sophisticated weapons of digital deception, costing companies upwards of $600 000 each.

Read more...
CCTV control room operator job description
Leaderware Editor's Choice Surveillance Training & Education
Control room operators are still critical components of security operations and will remain so for the foreseeable future, despite the advances of AI, which serves as a vital enhancement to the human operator.

Read more...
SAFPS issues SAPS impersonation scam warning
News & Events Security Services & Risk Management
The Southern African Fraud Prevention Service (SAFPS) is warning the public against a scam in which scammers pose as members of the South African Police Service (SAPS) and trick and intimidate individuals into handing over personal and financial information.

Read more...
Strong industry ties set Securex South Africa apart
News & Events Training & Education
Securex South Africa, co-located with A-OSH EXPO, Facilities Management Expo, and Firexpo, is a meeting place of minds, where leading security, safety, fire, and facilities professionals come together, backed by strong ties with the industry’s most influential bodies.

Read more...
Rewriting the rules of reputation
Technews Publishing Editor's Choice Security Services & Risk Management
Public Relations is more crucial than ever in the generative AI and LLMs age. AI-driven search engines no longer just scan social media or reviews, they prioritise authoritative, editorial content.

Read more...
How can South African organisations fast-track their AI initiatives?
AI & Data Analytics Security Services & Risk Management
While the AI market in South Africa is anticipated to grow by nearly 30% annually over the next five years, tapping into the promise and potential of AI is not easy.

Read more...
Efficient, future-proof estate security and management
Technews Publishing ElementC Solutions Duxbury Networking Fang Fences & Guards Secutel Technologies OneSpace Technologies DeepAlert SMART Security Solutions Editor's Choice Information Security Security Services & Risk Management Residential Estate (Industry) AI & Data Analytics IoT & Automation
In February this year, SMART Security Solutions travelled to Cape Town to experience the unbelievable experience of a city where potholes are fixed, and traffic lights work; and to host the Cape Town SMART Estate Security Conference 2025.

Read more...
Gallagher Security expands Digital Badge Programme
News & Events Access Control & Identity Management Training & Education
Following a successful launch and roll out across Australia and Papua New Guinea in 2023, Gallagher announced its Digital Badge programme is now available to channel partners and end users across the rest of APAC IMEA.

Read more...
Stallion repositions itself as a services provider
News & Events Security Services & Risk Management
Stallion has rebranded as Stallion Integrated Solutions to reflect its expanded capabilities beyond traditional security services to delivering integrated solutions that enhance safety, asset management, and operational efficiency.

Read more...
Seven tips to help ensure your backup batteries work
Power Management Security Services & Risk Management
Load shedding is back, officially or not. Lance Dickerson offers seven tips to prolong the life of your power backup systems and ensure they perform as intended when needed.

Read more...