Anna Collard, Senior Vice President of Content Strategy and Evangelist KnowBe4 Africa.
Organizational culture and behavior change are critical to ensuring cybersecurity in organizations, says Anna Collard, senior vice president of content strategy and evangelist at KnowBe4 Africa.
Speaking during a webinar on cybersecurity awareness and culture in South Africa, Collard said there is room for improvement in cybersecurity culture and that organizations need to focus on inspiring behavior change in their ranks.
Collard said the ITWeb KnowBe4 survey of South African cybersecurity culture found that cybersecurity culture is important to most respondents. In the survey, 72% of respondents said they were currently running a safety and culture awareness program, and 28% were not. Just over a third (35%) do not measure their safety culture program. Those who measure this look mainly at indicators such as phishing simulations and incidents reported by end users.
Half have seen an increase in social engineering attacks over the past 12 months, and 55% said they receive more reports that users are targeting mobile phones and chat apps.
“This is in line with a larger Forrester survey two years ago in which 94% of respondents said a safety culture is good for business. But in this survey, we asked how they would define a safety culture, and found that there are many ideas about what a safety culture means. Respondents’ views on what constitutes a safety culture ranged from levels of compliance with user behavior and safety awareness. ”
Defining a culture of safety remains a challenge, Collard said. “When our perceptions are different, it’s very difficult to measure and control a culture of security.”
During the survey of the webinar participants there was a question: “How would you define the culture of security?”. Respondents selected “Awareness and understanding of security” (5%), “Level of compliance” (2%), “Sense of responsibility and responsibility for security” (16%), “People’s attitude to security” (11%) and “All of the above” (63%).
Collard said “all of the above” was actually the right answer.
Awareness is not enough – people need to change their behavior, and organizations need to equip employees to do the right things,
Anna Collard, KnowBe4 Africa.
“There are seven accepted criteria of a safety culture that can be measured: attitudes, behavior, cognition, communication, compliance, norms and responsibility,” she said.
In December / January, KnowBe4 conducted another end-user survey in eight African countries. The results, presented in the African report on cybersecurity and awareness of KnowBe4 for 2021, showed that in South Africa 23% said they were affected by cybercrime while working at home, but only 34% were very concerned about cybercrime.
Among those affected by cybercrime across Africa, 33% fell victim to social engineering, 13% had hacked accounts and 11% reported viruses. In South Africa, 34% of people affected by cybercrime during the pandemic fell victim to phishing, and 17% had their accounts hacked. Investment fraud, tender fraud, internet theft fraud, vishing and cryptocurrencies were also reported. 48% of respondents said they were aware of their role and responsibilities in security, 29% said they had received adequate training in cybersecurity, and 39% said they could recognize a security incident. However, many did not know what ransomware attack or two-factor authentication was.
“Awareness is not enough – people need to change their behavior, and organizations need to equip employees so they can do the right thing,” Collard said.
Changing security behavior
“It is really difficult to change people’s behavior. As humans, we are lazy, social, creatures of habit, and we don’t really like change. We need behavioral interventions to move people from consciousness to intention, to actual change in their behavior, ”Collard said. IT may be tasked with awareness and behavior change, but they may not have the background to consider the psychology of change.
“Most of us are in the ideal zone in terms of a culture of cybersecurity – we support policies and more often than not we do the right things,” she said.
However, distractions can make it easier for people to get phishing emails – even if they are aware of the risks of phishing. KnowBe4 found that the majority of people (53%) who clicked on phishing links at the time were busy or performing multitasking.
“One of the main reasons we fall under the attacks of social engineering is that we are not present and we are not in a state of critical thinking. We have constantly working tools, several meetings and the family talking to us – this can lead to loss of attention. Cognitive overload can cause errors. ”
“While most employees are trying to do the right thing in terms of cybersecurity, 15-20% of employees fall into the zone of negligence, many are also in the zone of reluctance, and less than 1% fall into the zone of malicious,” she said. .
Collard said engaging and motivational programs are needed to change behavior in organizations.
Collard said, “BJ Fogg, the“ father of behavior design, ”says that behavior changes when three things happen at the same time: motivation, ability, and prompting to perform such behavior. This can be applied in the world of cybersecurity, making it personally interesting and relevant, using leaders and socially influential people, stories and emotions, the power of positivity, and games and gamification. The content should be as easy to digest as possible, she added.
The “ability” behavior change component includes tools such as on-the-fly training and realistic simulation that facilitate reporting and provide users with tools such as password manager, home security software licenses, and training for children and the elderly at home .
Hints or impulses should ideally be voluntary, not coercive. “Find creative ways to bring impetus to the workday. If you are working on programs to change culture and behavior, you need to focus on motivation, abilities and tips, ”she said.