According to Verizon and IBM's annual report, 85% of breaches are due to human errors. Employees are the organization's weakest link and its first line of defense.

How many times have you sat next to a person on a train "unaware" of the sheer amount of information they were displaying? Could they have also left their laptop open without any surveillance? Too many times, I'm sure.

Employees need to understand that they're the preferred targets of cybercriminals because they're the most straightforward way, according to them. Most of the time, employees already have access to the information that cybercriminals want, and they consider them easier targets and more accessible to manipulate than having to find exploits. More basic attacks like spear-phishing are growing sharper and more believable than your regular mail from amaz0n.ng

Cybersecurity is thus needed to protect the systems and data that are potentially or effectively put at risk by breaches. As the threats and attack surfaces grow, people standing behind the screens in security operations receive more and more alerts.

However, employees often think cybersecurity exists solely to make their jobs harder besides not being part of them. The link between their behavior and cybersecurity is not nonexistent.

So, besides continuously strengthening the architecture to adapt to evolving threats, one way to increase efficiency would be to educate employees. You have to make them understand their cybersecurity roles and responsibilities. This is cybersecurity awareness.

To us, there are numerous points to address when talking about security awareness in organizations:

• Even though cybersecurity is at the core of every business today, its efficacy is dramatically hampered without a sense of security awareness in a given organization;

• This is why you should, if not already done, build a culture of security in your organization;

• Security awareness and Security operations have to work hand in hand to achieve success;

• Eventually, a mature and intelligently built Security awareness culture would increase the impact and efficiency of Security Operations.

Cybersecurity is inefficient if it's not a part of the work culture

According to the CISA, cybersecurity is about protecting networks, devices, and data from unauthorized access or illegal use and ensuring confidentiality, integrity, and availability of information. Its implementation is usually based on the following three elements:

• Knowing what needs to be protected - and why - by identifying critical information assets;

• Knowing what information assets need to be covered by developing an in-depth knowledge of the risk environment;

• Protecting information assets for as long as they exist by creating protection strategies and mitigation plans.

However, as said above, one central element in every cybersecurity planning is often the one on which cyber professionals have the most negligible impact: humans. Indeed, far too often security initiatives fail not because of technology but because employees think of cybersecurity as an entirely independent and closed field in their enterprise.

This can seriously impede all efforts. For instance, your teams could put all their efforts into securing the firewalls; it would be rendered useless if one employee sets his password as 1234. Even with two-factor authentification enabled, what if some employees don't lock their smartphones and lose them? Examples can be multiplied to infinity.

To succeed in implementing new technologies in your cybersecurity architecture, you must inform people what's in it for them and how they can help. Cybersecurity can benefit employees in numerous ways, such as a safer and more productive work environment, avoiding the fear of personal information being stolen and misused, and ensuring business survival.

You can sum this up with the concept of Security awareness. You would define it as the understanding that something or some situation exists and how it is perceived.

To that end, you need to shape beliefs and attitudes about security and guide employees to adopt behaviors that support cybersecurity. Doing so should help motivate them and help them understand how they can benefit from improved cybersecurity across the organization.

Build a "security culture" in your organization

Since almost every task made by employees in today's organization relies on technology and can be exploited, cybersecurity awareness should be an everyday part of the business. That security must apply to everyone in the organization. Every chain link is important, so you have to take a holistic approach to security awareness. No one can be left behind. It would be best to educate everyone that the first risk is humans in your home. To that end, you should implement security programs to infuse a culture of security and increase awareness among your ranks.

Such programs would manage human risk through a four-step strategic process:

1. Identify the organization's top human risks;

2. Define the key behaviors that would reduce those risks;

3. Communicate to, train, and engage your workforce so they adopt these behaviors;

4. Measure the ongoing improvements.

That is a helpful remark here. New management has something right when it says that learning new things, especially complex ones, should be fun. So, keep it playful and short.

Employees tend to have a relatively distant attitude toward security protocols. Often, employees are viewed as malware nests or spam clickers. At the same time, security teams are the only sentinels of doom, cleaning up employees' messes (that's not wrong if you allow me! But it's in these moments that diplomacy is necessary). Still, establishing a solid security culture requires changing people's attitudes from resentment to understanding, compliance, and cooperation.

Have a top-down approach. Start from the top of your company. Top-level employees have to show the way. Attitudes about security won't change if people think some avoid what they see as burdens on their operations. I know executives are often the least cooperative about changing their habits, but this is how policies are deepest internalized.

You're here to educate, not impose harsher rules for the sake of it. The hard way often seems faster but faster doesn't equal better. It involves helping employees to understand what's at stake. Nothing prompts behavioral change, such as understanding the reasoning behind desired behaviors. For employees, understanding how data security affects their personal lives and the lives of their loved ones can generate aha moments that drive positive security behaviors.

Responsibilize your agents. How employees perceive their role is a factor in sustaining or endangering the organization's security. If employees feel data security is the sole responsibility of IT, they will fail to understand their role fully.

Cognitive empathy is critical. The technical community often dismisses security awareness because they already know the risks. Some even use confidentiality filters on their screens and encrypt their drives with VeraCrypt. Telling them about awareness seems redundant, whereas most regular employees would be shocked when learning the means attackers use to breach their company. Again, cybersecurity is a matter for everyone; a well-trained and security-aware workforce is a robust line of defense.

Combine different techniques to achieve your goals. Hard and soft regulations are both applicable. Don't crowd your teams with endless rules; try to use other means. Nudging is increasingly used to influence behaviors. Positive reinforcement, like congratulations or positive feedback, often delivers better results than harsher rules. For instance, instead of shaming employees for clicking on phishing mail, try to take the opposite path by celebrating "Employee of the Month" for employees who don't fail phishing tests.

To remedy these risks, you would then try to find the key behaviors linked to these risks mentioned above. For phishing, it would be the "5 seconds rule". Is this mail coherent with the ones I've received from the same person? What's the exact sender's address? Of course, spear-phishing tends to be more challenging to decipher, but simple checks like these would save you a lot of alerts, trust me. The same goes for credentials stealing. Most of the time, it relies on only a handful of reasons: weak password/common password shared between personal and professional uses (which tends to grow as BYOD grows in a corporate world friendlier to remote work) or shoulder surfing.

Educating employees on what makes a strong password, the limits of BYOD, or always keeping an eye out when working in public places is an excellent way to drastically limit the risks. Conduct tests monthly and simulate fake ransomware attacks. A black screen with a skull in the center is sometimes a good lesson; shaming is unnecessary. Celebrate those who succeed, help those who fail, and remind yourself that you're in this together. Sustaining a good atmosphere is paramount.

Security awareness teams should work with security teams

We know that security operations can perceive security awareness as an entertainment business. It would be like explaining to a soldier why you must wear a bulletproof vest. That's why, when asked about what security awareness programs are for, security professionals often say something like, "Oh, these posters and useless pieces of training?".

When explaining niche things to others, technical people often have this bias: "They should already know it," "This is wasted time." Such elitist behavior is relatively common to all niches or specialties. However, we've learned this is the wrong way to evangelize people. Engagement is important.

Try to reach out to a company running a more mature awareness program. You are likely to get a very different answer from their security team. They would answer, "The awareness team is helping simplify security for us and effectively manage our human cyber risk."

They know that cybersecurity is not just about technology; it's also about people, especially as it is among the top risks to organizations and one of the fastest-growing. Security awareness is part of and an extension of the security team to manage the risk effectively.

This posture isn't so disruptive. When you think about it, security operations are already split between teams with different specialties to manage risk elements, such as Vulnerability Management, Security Operations Centers, or Incident Response teams. From this point of view, Security Awareness is another piece added to the puzzle, focusing on the human side.

As stated above, security awareness teams would have different missions integrated into global security operations.

Identify and prioritize risk. Awareness teams would partner with security teams to better understand and prioritize your top human risks and the key behaviors that manage them. Of course, when dealing with multiple risks, you have to prioritize. You can't defend everything. Some of them are more dangerous than others. It's also about not overwhelming your employees with too many requirements, tasks, processes, and responsibilities. Awareness officers have to keep security simple.

Communicate and train. Once the key behaviors are identified, you need to prepare your employees for changing those key behaviors. To that end, Awareness officers must be transversal and partner with other departments (marketing, communication, and human resources). Awareness jobs are people's jobs; officers must enjoy working with others and be passionate about helping people. It's the opposite of cybersecurity as traditionally conceived by cyber professionals, and it's good. Almost every time, the solution resides in finding the middle ground between two opposite conceptions.

A final touch for security awareness teams is the measurement of their work. Measuring the impact of your programs and telling about it to the executives in business terms or other employees is excellent for visibility and legitimacy. You could use metrics like quizzes or test results done in playful ways, analyzing the results of phishing/fake malware campaigns, dividing these campaigns results into different teams and/or according to the level of risk roles. Ultimately, you could synthesize all the metrics assessed and render them in a global overall security score.

Mature Security Awareness = Higher SecOps Impact

Let's sum up what we've said supra. Culture is about people's attitudes, perceptions, and beliefs. It's like clay. Once it's solidified, it's hard to shape. You need patience and dedication to break bias and make your targets change their first thoughts about a topic like cybersecurity.

Still, building a solid security culture would be of immense value to your whole company and, specifically, your security teams since it would alleviate some of their burdens.

The best ways to succeed are a security awareness team, collaboration with security teams and beyond, and a transmission chain of some sort. Officers would build the drivers of your security culture by editing hard and soft policies, activities, training, and processes and changing how your security team communicates and enforces with the rest of the company.

Instead of the complex, overwhelming, or intimidating security policies too often communicated and enforced by an arrogant or punitive security team, you need relatively easy-to-follow, common-sense policies mixed with nudges, sanctions, and rewards—most of all, an engaging and supportive Security Awareness team.

As such, people would feel safer when reporting incidents, more inclined to include security as part of their job, and, as a whole, create a shared belief that security is vital to your organization's success.