The modern workplace requires proactive cybersecurity | Part 2

This blog miniseries tries to get the point across that a proactive cybersecurity approach is essential for organizations. In Part 1 we discussed with Stijn Jans of Intigriti how setting up a responsible disclosure program can help your IT-staff react fast to potential threats, before they become concrete issues.

In this article, we want to emphasize that your cybersecurity is not only in the hands of your IT staff. It is in the hands of every single person that works for your organization. Therefore, a proactive approach on that human, end user level is a true necessity. We spoke with Vincent Jamin, Learning Consultant for Neo Learning (a Xylos brand), and one of the people behind the mask of Mr. Phisher, the friendly coach of Xylos cybersecurity awareness program, InviQta.

Some company leaders might find it frustrating that in spite of their investments in technological tools, cybersecurity still depends a lot on individual persons. What would you say?

Vincent: I think that is a very common fallacy in the way of thinking about technology. People and technology always go hand in hand. Workplace technology generally exists to serve people, but there is a pathway for users to follow, in order to really adopt the tools and use them correctly – that also implies using them securely. In other words, there is a learning curve.

But part of learning is making mistakes. And when it comes to security, companies don’t have that luxury, though… 

Vincent: Yes, that is what makes learning cyber secure behavior so tricky. You want learning experiences to be as real as possible without any of the real dangers.

Why is it not enough for an organization to organize a cybersecurity awareness training once every few months, in which you explicitly inform them of the dangers?

Vincent: Formal awareness training and especially repetition do have their utility. However, it is not very proactive. People are potentially exposed to cybersecurity risks on a daily basis. Formal trainings do not take into account that work reality, let alone the work reality of every single individual that follows the training. So why would they really care?

The solution you need to aim for is one that engages employees repeatedly and that allows them to absorb knowledge in the flow of their typical workday.

You said repetition is useful, but isn’t that also what bores people? You cannot expect mainstream employees to absorb information about security every day, can you? 

Vincent: It is good that you drill down on that point. Notice I said “allow them to absorb knowledge in the flow of their typical workday”. It is the principle of ‘just-in-time’ training. Remember how we established that making mistakes is part of learning? For security learning, you need to find a way to let people make mistakes in a safe-but-real context. And when they do, that is when you provide them with the right pieces of information. It is important that you keep the pieces of information small, so they absorb it well and also not to really interrupt their workflow. Being mindful about security risks has to become part of their job in some sense, without costing them any considerable time or energy.

Mr. Phisher of InviQta
The fictional coach guides employees throughout an entire year to be cyber resilient.

I see, like InviQta does, by simulating phishing attacks. In short, why do you think InviQta is such a successful product for customers?   

Vincent: That is hard to give a short answer to because InviQta has many layers, like storytelling and gamification. InviQta is actually an entire campaign compressed into a product. But to highlight one aspect, I notice with clients that the fact InviQta measures the cyber secure behavior is extremely helpful. Almost without any exception, customers are blown away to find out how many people get trapped by relatively simple phishing simulations, at the very beginning of the InviQta campaign. Or sometimes, they do expect it, but they are very grateful that they now have concrete numbers to improve on.

Because now they have a target to aim at…

Vincent: Goal setting really works. Many organizations tend to focus uniquely on trying to minimize the negative effect employees can have on security. It is important of course, but in the digital age things change so rapidly. Today, people work on different devices, in diverse places and contexts. A pure avoidance strategy is not going to cut it. You cannot protect them from everything. Giving them a concrete objective, to score well on a cybersecurity campaign and encouraging them to see the risks themselves: that makes them and the organization cyber resilient.

So, in conclusion: it really all comes down to proactively including your entire workforce in your security strategy. Correct?

Vincent: That is a good summary. Security is not just the job of the CTO or the CISO. We all use technology, so we are all concerned with security.

Thank you for the interview, Vincent.

Vincent: With pleasure.

Xylos calls on IT talent to take on the O365 Challenge
What we mean when we talk about #DigitalFitness