The Numbers Don’t Lie
According to IBM Security’s Cost of a Data Breach Report 2022 calculations, the top five countries and regions for the highest average cost of a data breach are the United States (USD 9.44M), the Middle East (USD 7.46M), Canada (USD 5.64M), United Kingdom (USD 5.05M), and Germany (USD 4.85M).
Not misconstrue this as braggadocios, but the United States has held the number one spot for the past twelve consecutive years. In 2020, Cybersecurity Ventures estimated that the global cost of cybercrime will grow 15% yearly to $10.5 trillion (USD) by 2025. Compare that to their estimated cost of $3 trillion and $6 trillion (USD) in 2015 and 2021, respectively.
Verizon’s 2022 Data Breach Investigations Report (DRIP) says 82% of breaches involved the human element, including social attacks, errors, and misuse, equating to a global cost of $8.6 trillion (USD) counting. Eighty percent of companies who paid ransom demands were victims of follow-on ransomware attacks, according to Continuity Central.
If It Looks Like a Phish and Reads Like a Phish
Phishing emails and texts are the number one factor in data breaches involving the human element. Thirty-six percent of all data breaches involved phishing attacks which have doubled since October 2020. A study conducted by Tessian titled The Psychology of Human Error states that “nearly half of respondents (45%) cited distraction as the top reason for falling for a phishing scam. Other reasons for clicking on phishing emails included the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either someone with authority (41%) or a well-known brand (40%)”.
All it takes is one weaponized email, text message, or social engineering phone call to wreak catastrophic damage to an organization’s critical data, financials, and reputation. If you need a great example, at the time of this writing, Uber succumbed to the most unsophisticated security breach involving three of the four statistical reasons mentioned above.
The Time to Assess and Obsess Is Now
The organization must apply the same level of obsession placed on evaluating and critiquing oneself daily in the mirror to assessing and critiquing the current and future state of the cybersecurity awareness of your organizational culture, identifying the deltas, and taking immediate corrective action.
Management at all levels must continuously challenge and critique the status quo and treat the education and development of their culture as a continuous process of continuous improvements and not as an end state. Leaders are constantly challenged to find innovative ways to educate employees and motivate them to be vigilant.
Every Great Cause Needs a Champion
To effectively bring about cultural change, organizations need cybersecurity champions from each business area who consistently engage with their peers and subordinates to communicate and educate the organization’s cybersecurity mission and objectives.
These champions are agents of change who, over time, become trusted resources while closing the communications gap between the IT security department and their business areas.
Messaging is equally vital in fostering engagement and building trust. The messaging must be adaptable to resonate clearly with the intended audience making them more receptive to its intended outcome.
Let’s Start from The Top
Since cybersecurity is everyone’s responsibility and building a cybersecurity-aware culture is leadership’s responsibility, the cause must originate from the top down.
At the leadership level, executive, senior, and frontline leaders must prioritize cybersecurity awareness programs. They must make it clear to everyone in the organization that it is an intrinsic part of the organization’s values and that they are visibly aligned with the mission by setting the example to be followed.
Cybersecurity issues should permeate regular employee discussions and seep into how teams work together at the group level. Non-technical business areas should seek guidance on how they can be more aware of their behaviors in their duties and how that impacts the organization.
At the individual level, employees should be trained to be mindful of the vulnerabilities their behaviors can create and empower them to take the correct action when an incident occurs.
Cybersecurity is about understanding, managing, and mitigating the risk of critical data being disclosed, altered, or denied access. The game is real. The stakes are high.
In the ring of fire where people, processes, and technology intersect, the people are the most valuable and vital assets to the organization. Without them, organizations and their cultures would cease to exist. So, heavily invest in them by cultivating and nurturing a culture of accountability where everyone is empowered to think and act in a manner that demonstrates high levels of ownership.
Creating this culture will produce consistent, powerful, and long-lasting impacts. But the process of getting there is an ongoing journey and not a destination where leadership and everyone else in the organization must continuously work together to create and maintain an accountable and cybersecurity-aware culture.
Nick has over 20 years of combined experience in the public and private sectors aligning cybersecurity strategy with risk management to enable the business and facilitate business growth and success. He is adept at delivering global compliance and cybersecurity solutions across diverse lines of business, threat environments, and regulatory schemes. He holds certifications such as C|CISO, CISSP, and CISM, but his breadth of knowledge and experience in cybersecurity strategy and business operations helps translate complex technical subject matters into executive-level business language and vice versa. His interests lie in driving company-wide adoption of GRC methodologies and ownership of business security through data-driven messages, consistent employee education, and empowering the corporate culture.