Dr Christian Reinhardt is the Director of Sales Enablement at SoSafe and an experienced sports psychologist. As an expert in human behaviour, he is aware of the importance of the human factor in cyberattacks. At this year’s Internet Security Days on 10 and 11 September, he will give the keynote speech “Cybercrime Insights – The New Threat Landscape”.
What strategies and measures can companies implement to raise their employees’ awareness of security risks and minimise human error?
In addition to a technical security system that meets modern requirements, a comprehensive cybersecurity awareness training programme is essential. This is not just about imparting knowledge – security must become an intuition for each individual. We firmly believe that people are strong when it comes to defending themselves against cyber threats. In order to make people the most important part of this defence, what is needed is continuous, personalised training in small, easily digestible bites (micro-learnings) based on behavioural science. This learning should be combined with a phishing learning simulation that depicts current attacker tactics. A frequently underestimated factor here is fun: it not only enhances the learning effect, but also has an additional psychological advantage – content learnt with enjoyment can be creatively retrievable. This means that I not only learn how to protect myself from certain emails, but can also transfer the knowledge I have acquired to other emails, issues or situations. That’s why we at SoSafe work with gamification and storytelling elements that make learning more engaging.
Another important part of the security strategy is the development and maintenance of a good error culture, favouring positive reinforcement of learning successes rather than learning through fear. In any company where mistakes are only punished, employees tend to hide these mistakes. If an accidental click on a phishing link is concealed, it aids attackers as they have more time to spread through the system. In a positive error culture, errors are communicated openly, allowing them to be addressed promptly, limiting damage and preventing recurrences.
How can organisations measure and continuously improve the effectiveness of their training and awareness programs in human risk management?
When measuring effectiveness, the same questions traditionally arise, namely: How do I obtain the relevant data? How can I summarise KPIs? How do I interpret the data and what conclusions can I draw from the insights gained? Good awareness programmes offer GDPR-compliant tracking and reporting, meaning that I receive the relevant data directly from the programme. As we are aware of how busy the cybersecurity teams are, we summarise key metrics into overarching risk scores. This means that the most important values are colour-coded and visible at a glance. At the same time, we also offer very detailed reporting that facilitates in-depth analysis and, with one click of a button, provides all values in ISO-compliant format so that the effectiveness can be presented to auditors if necessary.
However, there are also “soft” factors that should not be underestimated: Are employees talking about the training measures? Are “champions” emerging who find the topic exciting and help their colleagues? Are you noticing more locked screens or are you receiving more enquiries about the topic?
What role do regular security clearance checks and audits play in identifying and mitigating human risks in a company?
Around 90% of cyberattacks involve the human factor. Consequently, the human factor is logically considered in almost all relevant regulations, directives and standards.
An external review of security standards also makes sense in this context. However, there is a risk that companies will only take measures in order to pass the audit – comparable to a student who is only studying for the exam. They may pass the exam, but the actual learning objective is missed. The primary goal should therefore be to help employees develop an instinct for safe behaviour, which in turn makes the entire company more secure. Passing the audit is then a positive side effect. At the same time, we need to help companies minimise the effort involved in audits. With this in mind, we have developed our reporting together with DEKRA. One click – one audit.
Thank you very much for the interview, Mr Reinhardt!
All information about this year’s Internet Security Days can be found here.