I just finished reading PwC’s latest Workforce Pulse Study – and you should be scared. This study of more than 1,100 American workers provides an in-depth look at the cybersecurity-related awareness levels and behavior patterns of American workers.
COVID-19 Highlights the Cracks of Old-School Security Awareness Approaches:
A typical mantra uttered by most security leaders is security is everyone’s responsibility. Unfortunately, the PwC study shows that this message isn’t being taken to heart—a shocking 75% of survey respondents seemed to live in blissful ignorance of the difficulties and limitations their employers face in securing employee personal information. And these workers are likely also oblivious that their personal data is of interest to cybercriminals.
That lack of employee personal responsibility and investment in cybersecurity, is what makes this next set of findings so worrisome. Here’s the quote that really got me (emphasis is mine):
“Nearly 70% of CISOs and CIOs say they increased security training as a result of COVID-19. In contrast, only 30% of employees say their employer offered training on the dos and don'ts of protecting company and personal digital assets, data and information.
Less than a third say their employer provided devices so they could work outside the office without having to use their personal devices. And only 23% say their firm provided a compelling case for why employees need to have good data security habits.”
What We’ve Got Here is Failure to Communicate
There’s clearly a disconnect somewhere. I’ve been actively involved in the security awareness community for a long time; and I can confidently say that security leaders now “get it” more than ever. And – more than ever – I’m hearing about how security leaders are attempting to be proactive with their programs. This disconnect reminds me of the types of communication issues that plague all human relationships. Security teams and employees are like partners in a marriage that continually misinterpret each other or don’t see each other’s needs despite having the best of intentions.
The report contains other information related to how different generations approach security. Not surprisingly, employees work around security controls for a multiplicity of reasons. They download unapproved apps because they believe the app can help them be more productive. And Millennials and Gen Z workers raise even more risks by using work-issued equipment for personal tasks – including letting friends and family members use their work computers for gaming, online shopping, and web browsing.
But of all the things I read, THIS is the most disheartening: employees fear retribution if they raise a security risk. The survey reveals a critical failure in security culture and messaging. We’ve all heard and used the saying, “See something. Say something.” Here’s the sad part… of the nearly 1,100 survey respondents, only 24% believe they can raise a security issue without fear of reprisal. Clearly something is broken.
What Should You Do?
PwC’s lead-line for this study is, “It's time to adopt a cyber-savvy culture.” I wholeheartedly agree. It’s time for organizations to approach security awareness differently. Information-based awareness will always fall short of aspirational goals. Why? Because human nature overrides mundane facts. If there is emotion involved, then logic goes out the window. And if an employee feels inconvenienced by a security control, then they are likely to bypass that control whenever possible.
I codified these failings in what I refer to as the “three realities of security awareness:”
- Just because I’m aware doesn’t mean that I care.
- If you try to work against human nature, you will fail.
- What your employees do is way more important than what they know.
You’ll experience success as soon as you approach your program with these realities in mind. Create meaningful interactions with the information you need to communicate. Implement policies, controls, and technologies that work with human nature rather than against it. And embrace a behavior-based approach wherever you can. Be intentional with your tone and process. And remember that each individual in your organization is influenced by the coworkers and culture around them. That means that you absolutely must measure and proactively manage your security culture.