Enterprises with mature cyber practices are still deeply vulnerable to one thing: human behavior. The human element is most organizations’ greatest cyber risk. Just as people are the center of an organization, people are at the center of cybersecurity. Unfortunately, the current approach to addressing human cyber-risks is often to force employees through generic training that goes in one ear and out the other.
Instead of endlessly trying to train employees to refrain from clicking on that sketchy link, what if we better understood how they approach these kinds of risks?
Understanding an individual’s relationship to risk is a powerful tool for cutting off phishing and its costly consequences at the source.
Are you one to make a detailed plan and stick to it? Does it bother you when others deviate and don’t do things the correct way? If presented with a mysterious big red button of unknown function, would you press it? As a “Risk-Breaker,” if it’s not in the plan and only serves to invite more chaos into your life, you probably won’t choose to press it. Maybe sometimes you wish you weren’t so much of a perfectionist, but it’s undeniable that you’re a great organizer and you make sure things get done right.
The Risk-Breaker might seem like an enterprise’s preferred risk profile, but it’s important to understand that each risk style has its own benefits and drawbacks. While working on a project, a Risk-Breaker may get caught up carefully following a detailed plan and become susceptible to a phishing attack from someone looking like their boss requesting urgent action. Understanding your risk profile and blind spots is an important step in improving mindfulness related to risk-based decisions.
Cybersecurity education geared specifically to the risk profiles in your organization will not only help you avoid ransomware attacks, it will also help employees think twice about clicking that spam email at home. If your company’s phishing test click rates are above 2%, you are taking on too much risk. A style-aligned cybersecurity education is the answer.
ISG and cyberconIQ are partnering to offer an innovative, style-aligned education so we can all play a stronger, mindful role in cybersecurity. Continue following ISG and cyberconIQ during National Cybersecurity Awareness Month for more information on how training that targets specific risk profiles can benefit your organization. Contact us to find out more.
About the authors
Doug Glair is a Director in ISG’s cybersecurity practice. Doug is a cybersecurity and supply chain leader with remarkable background leading, designing, and operating large enterprise-wide cybersecurity and supply chain programs. Exceptional relationship builder and collaborator with proven ability to deliver improvements in cybersecurity risk posture using established standards, industry leading practices and ROI-driven controls.
Dalton Cravens is an Analyst at ISG.