Cybersecurity: It’s a Behavior Change Problem

By Cathy Quon, Chris Harper, Kim Lewis and Sapna McCarthy

Let’s take a quick quiz…

Question: What was the go-to method for hackers in 2015?

Answer: Phishing with malicious attachments

Question: What was the “way in” for 2/3 of successful cyber-espionage attacks?

Answer: Phishing and establishing a presence on user devices

Question: If a hacker sends a phishing email to 10 employees, what are his/her chances of getting into the company network?

Answer:

Chris Harper – Emerson Associate Director Here’s the thing. Most of us think of cybersecurity as an IT problem.

Sapna McCarthy – Emerson Consulting Manager But cybersecurity is actually a behavior change problem.

Kim Lewis – Emerson Client Director And your people are your first line of defense.

“The best technology on the market won’t help you if the bad guys get to your people.” – Mark Stone, CIO, Texas A&M University System

John Wondolowski – Chief Technology Officer, CMI Well, it’s turned out to be one of the most important attack factors for the bad guys to go through employees’ behavior that they can exploit. Most studies, in fact just about every study, has found that over half of the root causes that security breaches in the last couple of years are due to employee actions.

Cybersecurity is an IT problem. Cybersecurity is a behavior problem.

Cathy Quon – Emerson Vice President Did you know that since 2004, October as been declared the national cybersecurity awareness month? That there’s a huge push from the Department of Homeland Security to get all citizens of the United States, businesses, and government agencies involved in making people aware that it’s all our problem to make sure that we are taking the right actions.

Your people are your first line of defense.
But changing people’s behavior is hard.

Sapna McCarthy – Emerson Consulting Manager Changing behavior is hard. Communication and training alone won’t cut it. Think about how many training classes you’ve been to where you’ve forgotten 50 percent or 70 percent of what you’ve learned a week later.

Kim Lewis – Emerson Client Director We’re naturally hard wired to stay in the familiar. And honestly people aren’t going to change until there’s enough pain to change.

Economists and behavioral scientists find people make big changes only when confronted with painful situations.

Cathy Quon – Emerson Vice President Well, how are you going to make them feel the pain?

Chris Harper – Emerson Associate Director The first way is to scare people.

Make people feel enough pain to change:

  1. Scare them.

Cathy Quon – Emerson Vice President You might want to remind them what happened at Target and Sony and all the issues that went around that in terms of employee issues, customer issues, and trust issues. Make people feel enough pain to change:

  1. Scare them.
  2. Use real-world examples.

Chris Harper – Emerson Associate Director So if someone in your company let a threat get by them, ask for permission to share that story. And then you need to get personal.

Make people feel enough pain to change: 1. Scare them. 2. Use real-world examples. 3. Get personal.

Chris Harper – Emerson Associate Director So for employees, you might want to relate this to, say, identity theft. It’s something that’s familiar to them and they can link on to it.

Cathy Quon – Emerson Vice President Exactly. So if you want people to change behavior, you have to break it down into really small steps so they can practice that muscle.

Sapna McCarthy – Emerson Consulting Manager Have you ever done that exercise where you cross your hands like this and if you do them the other way? It feels weird.