The importance of the human factor in information security really came to a head in 2021. News items about ransomware attacks were a daily occurrence. The year is coming to an end and it’s time to look ahead. What can we expect in 2022? Our own Wilbert Pijnenburg predicts which security awareness points in the field of human factor we have to keep in mind in 2022.
1. Arranging cybersecurity insurance might be a challenge
A few years ago, cyber insurance seemed like a fun cash cow for the insurance industry. However, times have changed. The number of security incidents continues to rise and as a result the premiums have also risen. If you want insurance, you must be able to demonstrate that your information security is in order. Technical measures alone have long ceased to suffice. An effective security awareness program has now become a requirement.
A few years ago ticking a few boxes was merely important to show compliance. Now these ticks can suddenly become vital in being admitted to the insurance policies that are an essential part of business continuity for many organizations.
2. Ransomware tops the priority list
More money is currently being made from ransomware than drug trafficking. Not surprisingly, in 2022, ransomware will be on every CISO's priority list. Ransomware will receive attention on both a technical and human factor level.
What attention do you currently pay to ransomware, and do you have this topic on your security awareness calendar in 2022?
3. Working from home and Shadow IT on repeat
Working from home has become an integral part of our society. All subjects related to this must therefore receive the necessary care. Because do we work just as safely at home as at the office? And how do we solve our problems if the IT-solutions don’t work quite as well as expected? Working from home and Shadow IT remain two important themes in 2022.
4. Motivation by Gamification
In Icek Ajzen's psychology model “Theory of Planned Behaviour” Icek explains that behavior is determined by 3 factors: attitude, norm and control. Do you want to make working safely second nature? Then you need to develop a positive attitude and intrinsic motivation. Security awareness is best deployed in a positive way. That’s the best way to avoid resistance within an organization.
Are you interested in an awareness program for 2022? Then make sure that experience, storytelling, gamification, entertainment and fun are part of the deal. Without these elements, your efforts will have little effect and your program will be less successful.
5. Tailor-made awareness programs
When we ask our customers what they want to achieve with an awareness program, we invariably get “behavioural change” as the answer. Even organizations that have done little or nothing want behavioral change.
But before you are ready for behavioral change, a number of basic principles must first be set up. For example, is there someone responsible for security awareness? How often do you communicate about information security topics? Is management involved? Do new employees receive decent training during onboarding?
During 2022 we expect that security awareness programs will take an even more professional approach.
An awareness program depends on the security maturity level of the organization. You cannot just copy the approach of one organization to another. For example, a bank has a different maturity level than the local car dealer.
To better map out where an organization stands and what the most important steps are to get to the next level, we have developed a security awareness maturity model. This model helps you to draw up a suitable customized program.
In 2022 we will launch a number of publications and webinars about the model. So stay tuned!
6. Focus on positive behavior
To change behavior we often use the FUD principle (Fear Uncertainty and Doubt). But research shows that the "social norm" is one of the strongest mechanisms for changing behavior. Humans are herd animals. If we don't know what is expected of us, we first look around us to learn from our environment. How the majority behaves determines how we behave.
By communicating more often, showing what positive desired behavior is and emphasizing that the majority exhibits this desired behavior, behavioral change is easy to achieve.
Let colleagues notify each other that there is a phishing test going on. That's what you want when a real phishing email lands in their inboxes, right? Share how many percent saw the phishing email in time and try to ignore the percentage that did click. Celebrate involved managers, reward desirable behavior, and appoint ambassadors to help you promote safe behavior. If safe behavior is the norm, the rest will follow.
Let's agree that we will mainly visualize positive behavior in 2022.
7. The numbers tell the tale
Many organizations only measure whether employees have participated in an e-learning program. But what does this information say about an effective awareness program?
You want to put yourself in the employee's shoes. How does the employee feel about information security? Is there a positive security culture in the department? Does the employee have sufficient knowledge and skills to perform the desired behavior and is the environment set up in such a way that working safely is possible?
To get answers to this, we developed a security awareness culture scan. The culture scan is based on Icek Ajzen's psychology model “Theory of Planned Behavior”. The model measures 3 factors: attitude, norm and control. Based on these 3 aspects, the organization is mapped out and we draw up a growth plan.
For the coming year, we advise anyone who puts the employee first and wants to go a step further than awareness and training, to use the culture scan.
8. Passwords are a thing of the past
A different password for each account, preferably at least 16 characters, with letters, numbers, capital letters and characters is a thing of the past. Many employees have issues with using safe passwords. In recent years, a secure organization could not do without a password manager. But for 2022, passwordless login is on the agenda.
Microsoft makes it possible to log in to a Windows system without a password via the password-less phone sign-in on the authenticator app. With this Microsoft is taking a first step towards a password-free future. This development optimally supports the employee by providing the technology in which safe working is simple and self-evident.