People is the most critical vulnerability in any organization

In this digital era, organizations do have world-class cyber security tools and certified experienced professionals to manage the technology to safeguard from any data breaches. Despite having adequate security controls and enforcement of IT security policies and procedures – we are still witnessing organizations compromised due to cyber attacks. Products are great, it solves most complex cyber security challenges that any industry has today. Service providers augment capabilities by providing expertise resources to manage the cyber risks with outsourcing model. Organization do have well defined processes, incident response playbooks and table top exercises. IT security leaders conducts rigorous vulnerability scans across critical assets and perform effective patch management. They spend enough time performing internal and external audits to ensure they are compliant to regulatory requirements and security frameworks.

But still, they compromise – WHY?

Cyber security is not purely technology issue, its also HUMAN issue.

Every organization will have opportunity to learn from their security incidents. While performing root cause analysis, often organization fail to analyze deeper to figure-out the human element associated with it. For example, your employees may be victim of social engineering attacks or they might’ve shared credentials that are used to secure sensitive information. In recent years, organization do have phishing simulation tests with their employees to find the level of security awareness within the organization. Organization do focus largely on the technology components – as security control gap – and many vendors try to sell their hardware’s, software’s and license. Endpoint security products are the biggest market with lot many security controls such as credential protection solutions, antivirus and malware defense, data loss prevention, host firewalls and intrusion prevention, device encryption, browser isolation, application white-list and many more.

Human element within organization are less focused, has limited budgets, poorly planned and not considered to secure as compared to end point security technology investments.

Human is the most vulnerable element and become primary attack vector.

Yet, organization fail to understand and do nothing in most cases to secure people.

Security awareness program help reduce HUMAN cyber risks

Corporate security function are familiar with the commonly used risk calculation formula

Risk = Vulnerabilities x Threats x Impact

During this COVID19 days, we all know how to reduce the vulnerabilities by maintaining social distance, practicing regular hand wash, usage of sanitizer, eating foods that boost immunity, buying health insurance policies, wearing masks and many more. All these measures are taken not to eliminate risk, but to reduce the risk to an acceptable level. Security awareness program will do the same by help reducing risks to an acceptable level. Most organizations do conduct security awareness by conducting mandate online training programs, presentations, posters, etc. Enterprise need to identity and manage top human risks exists that point of time. Effective security awareness program should cultivate behaviors, attitude, perception and belief’s towards information security needed to manage those risks. Situational security awareness based on the role of the employee in the organization help them acquire insights that generic computer based training programs. For example – the Human resource function may deal with employee’s personally identifiable information (PII) and procurement function may deal with credit card information (PCI) – hence custom developed program during that point of time to address the top human risk elements would be more appropriate.

While employees acquire security knowledge by stepping into driver’s seat to create and then respond to common attacks like phishing, social engineering and malware – they apply hackers mind and it provides immersive role based experience, while technical content and security behavior provides visibility into type of data and attacks that could potentially relevant for organization.

Dopamine hormone in brain plays a role in how we feel pleasure. It’s a big part of our unique human ability to think and plan. It helps us strive, focus, and find things interesting. Security awareness with reward program in enterprise with personalized scores motivates to change security behaviors