Traditional security awareness is not enough to battle online cybersecurity threats

From: FinTech Global

The world is focused on battling online threats with new technology. However, good defence requires not only teaching employees to be more aware of their online behaviours, “but actually driving them to change their online behaviours to be more secure,” according to Mike Butler, co-founder and CTO of Think Cyber Security.

Cyber criminals are constantly adapting and evolving their methods, finding new ways to get past systems and a business’ security. When a company fixes one vulnerability, criminals are bound to uncover another pretty quickly. It’s a constant battle, which is unlikely to disappear. A recent study from Gartner even stated it expects the total spend on information security products to reach $124bn by 2022. Unsurprisingly, it also claimed that companies have increased their cybersecurity budgets by an average of 141% between 2010 and 2018.

There is clearly a need for companies to be pumping funds into their cyber defences; however, technology is not the only answer to stopping the criminals. A company’s staff play a very important part in the security of a business, but they are often considered to be the weakest link. Multiple studies have found that as many as 90% of data breaches are caused by human error including by insurer Willis Towers Watson, and similarly, a report from Kaspersky Labs found in its study that 90% of cloud data breaches were due to attacks that target employees.

A company can have strong security and firewalls in place, but if employees are still unaware of risky behaviour, a business is still vulnerable. The risk humans pose to companies has not gone unnoticed. A survey from Infosys of 867 senior executives across 847 firms, revealed that the lack of security awareness of staff was their second biggest cybersecurity concern, with 76% of respondents stating their concern. Attacks from hackers was the only threat to receive more worry. Despite the clear need to improve staff knowledge in relation to digital threats, there are very few companies looking to change employee behaviours.

Think Cyber’s Mike Butler said, “In practice, no solution and particularly no technology can be 100% effective all the time. Your people are the last line of defence and they’re always going to be the ones who are there at the end when all the other defences have failed. It’s just part of any sensible kind of layered defence. You want to do a mix of things. You want to invest in some technology, but you also want to think about the human interaction and how you can influence your people to behave securely.”

Companies solely relying on technology are bound to run into problems. Technology can become outdated pretty quickly, forcing companies to bolster their solutions or implement new tools. This costs a lot of money, and for a small business, that isn’t always easy to get. However, encouraging secure behaviours and making employees more alert to risks can stop issues missed by technology and could potentially save cash. The problem is, there are not many solutions available in the market which help to improve staff behaviour and the ones which are available, are pretty limited, Butler said. This was one of driving factors that led to Butler and fellow co-founder Tim Ward to create Think Cyber at the end of 2016.

He said, “we wanted to create a platform that we thought would actually make a difference to the security risk from the human side.” There were a few tools in the market which were trying to improve the human-risk within cybersecurity, but Butler felt, in his experience as a global head of infosec, they were not achieving much. “The first generation of security awareness solutions were primarily computer-based training systems, which a company would put their staff through annually, to meet compliance”, he said.

“A second generation, which is where the majority of the market is currently, are richer tools and simulations, such as phishing tests. These are better at showing people risks online but don’t change their behaviours across the breadth of security risks. These types of services also struggle to engage the customers to finish or remember what they are told.”

Next generation security awareness

Think Cyber hopes to be the third generation, offering technology which actually changes the behaviour of staff, so they actively avoid risks. Butler said, “Ultimately human risk is behaviour based, so if you can change behaviour, you can reduce that risk. Information security is about managing risk.”

Think Cyber aims to improve the cybersecurity of businesses by changing how their employees behave, making sure they avoid typical pitfalls that lead to data breaches. The technology offers  real-time, context aware-guidance, which highlights areas of risk for users and helpfully “nudges” them to improve their interactions with business systems – at the point of risk. The platform, Redflags™ can also give real-time alerts on incidents happening, as well as, drip-feeding relevant tips and security stories.

The company doesn’t bombard employees with information and complex explanations of conduct, as that would be counterproductive. Butler said, “if what you’re asking them to do is too difficult, it just doesn’t happen.” To ensure an employee does take note of what is being said, the information needs to be straightforward, give the user motivation for doing it and provide the advice at the right time. The aim of the platform isn’t to make everyone experts in security, because at the end of the day “security isn’t most people’s primary job.” The trick is just making them more aware when they need to be.

“When we started the business and worked with academics on our Innovate UK funded research projects, the message that really resonated with us was, that just because we understand how all these attacks work and how to spot phishing, most people don’t, and they probably shouldn’t spend a lot of time thinking about it.”

Working out how to engage with employees at the right time, but not being overbearing and annoying was one of the major challenges the company faced when building its platform and also the subject of their InnovateUK research projects. “The behavioural science was very clear – behaviour change requires timely prompts.” This was why the company chose to give employees helpful advice at the point of risk, when needed. The issue with swamping employees with advice is that they are likely to become annoyed and ignore it, or it risks interfering with their daily tasks. People need to have the ability to stop advice coming through and chose when to engage.

One of the other aspects Think Cyber took into account when building its solution, is to not overburden companies. Think Cyber looks at everything in terms of campaigns, so instead of trying to fix everything at once, which is often a disaster, it engages with clients and finds out what their biggest risks are, Butler stated. This way, a company can prioritise their training, whether its boosting awareness of phishing, lost laptops or removable technology like USBs. It also stops users being overwhelmed and trying to change all aspects of their behaviour at once.

Working with Tesco Bank

Tesco Bank turned to Think Cyber to improve the cyber awareness of their employees, having chosen to move away from traditional modular/compliance-based training.

“Tesco Bank saw our product as offering a completely new way to engage staff on security topics. During a pilot of 100 colleagues, 88% of staff said that they preferred the Redflags approach to learning compared to the more traditional method of delivering cyber awareness”, said Butler.

Tesco Bank and Think Cyber were introduced through a network of cyber security companies that Think Cyber had built through their involvement in the UK government’s cybersecurity accelerator programme LORCA. After an introduction to the Tesco Bank CISO, the founders of Think Cyber worked closely with security awareness practitioners which led to a pilot test of Think Cyber’s Redflags™ product.

During the pilot test, Think Cyber engaged with the bank to explore specific kinds of behaviours and risks they were experiencing and the certain procedures they wanted their staff to follow. After the trial, the CyberTech company got positive feedback from Tesco Bank staff on the user acceptability of the solution.

The initial trial deployment at Tesco Bank not only helped boost security awareness for colleagues but also saved them time, as Butler notes “It removes inertia and stops the staff from having to take time out of their day to log into a computer-based training platform to do some kind of security awareness.”

Instead, the technology pushes advice messages out proactively, helping colleagues improve their behaviours, whilst having a limited impact on their ability to deliver their day jobs.

Following the success of the pilot, Think Cyber have now commenced full deployment. Tesco Bank has expressed interest in more advanced behavioural nudges provided by the Redflags toolkit to further drive secure behaviours. Think Cyber very much hopes that the partnership can extend further, and the two businesses can work on more initiatives in the future.

Think Cyber was recently named in the CyberTech100 2020 list, to check out the full list click here: CyberTech100

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.