The KnowBe4 African Cybersecurity & amp: Awareness Report 2023 found that one out of three employees are likely to click on a suspicious link or email or comply with a fraudulent request. Several other studies further support that human error is responsible for more than 90% of data breaches. It is not surprising that the phrase ‘humans are the weakest link in cybersecurity’ has gained popularity.
Awareness is concerned with knowledge and understanding. When the focus is solely on security awareness, the outcome simply is that people are aware of what they should and should not do. There are however several examples where awareness does not translate to a change in behaviour.
Consider smoking, eating unhealthy food, or speeding, in all three examples, most people are aware of the potential risks and dangers of these activities, but for various reasons, they choose to do it anyway. Could it be that the potential impact of cyber incidents are not well understood, or do people simply not care enough because cyber incidents have been dehumanised?
Security leaders must shift from cybersecurity awareness to developing a cyber-resilient and risk-aware culture. This can be achieved by segmenting users based on risk. Awareness messages should be tailored to different stakeholder groups, and relevant stories and case studies must be used to make messages practical and relatable. Senior leaders must regularly reiterate the importance of cybersecurity to the organisation, and end-users must be encouraged to report cyber incidents without fear of repercussions.
Exploring the link between employee wellness and a strong cybersecurity culture is important as well, as stress and multitasking have been found to contribute towards users falling for social engineering scams, in addition to an overall lack of cybersecurity awareness. Shifting from security awareness to a security-aware culture is imperative.