According to two studies released earlier this year by IBM and law firm Baker Hostetler, errors such as falling victim to a phishing attack or misconfiguring a server or network, were responsible for a majority of data breaches.

The common thread in those scenarios is that the breaches were caused by simple human error and ultimately preventable if employees had been educated and trained to be security aware, and to operate and behave using security best practices. Users’ perception of different threats to information security, and what they think their role is in your overall security program also has an impact on behavior change.

It’s not only large enterprises that feel the effects of unsafe cyber behavior, however. According to Enterprise Strategy Group, 38% of IT and cyber security professionals at small and mid-size businesses say the biggest vulnerability that keeps them awake at night is employee behavior. No matter how large or small the business is, human risk is the number one vulnerability facing organizations. Fixing that risk and fielding a workforce that operates with a security mindset can be achieved by implementing a security awareness program.

Moving from "Check-the-Box" Mentality to Behavior Change
Organizations implement security awareness programs for multiple reasons, including to meet compliance demands. Any organization required to comply with data protection, privacy or IT governance regulations uses a security awareness program and employee education and training to address compliance requirements.

However, a "check the box" mentality of getting all employees to take the training does not guarantee a positive effect on organization’s security posture. Just because a business can claim that 100% of its employees completed the security awareness training, doesn’t mean employees will behave with a security mindset and help make the organization more secure. Success ultimately depends on how comprehensive the security awareness program is.

Leading analysts suggest that an effective security awareness program incorporates continuous education that appeals to the audience, constant communication, and continued phishing simulations to measure progress. That’s it. Three elements. But notice they are ongoing – “planned, continuous and evolving”

Marketers live by the "rule of seven" as a guideline for how many times a message must be heard to influence behavior. Whether it’s seven, seventeen or seventy, we know repetition can influence behavior. That holds true whether you want someone to make a purchase or handle sensitive data in a secure and specific way.

"If you are responsible for security awareness, you are in the business of creating behavioral change and creating a culture of security in your organization," says Lise Lapointe, CEO at Terranova Corporation. "You are literally trying to get people to modify their habits so that they adopt secure behaviors."

"If you want to change people’s behaviors, you need to do more than ask them to do 15 minutes of intermittent, training here and there, or to sit down in front of their computers for an hour once a year and click on some buttons," Lapointe says. "Security has to stay top of mind. To maintain that state of mind, you need a complete program that is made up of multiple smaller campaigns."

But it doesn’t stop with your users. Information security and cyber threats deserve the attention of senior management and executives within your organization. You must educate them on the importance of information security and why a cybersecurity awareness program is a must.

How Do You Know You’ve Instilled Behavior Change?
Once you’ve accepted and implemented a comprehensive and continuous security awareness program to drive the behavior change you need in your organization, look for these telltale indicators to show that culture is changing:

It’s been said that people change their behavior when the pain of staying the same becomes greater than the pain of changing. If you wait for that pain point when it comes to cyber security, it’s too late! Act now to implement a security awareness program that focuses on changing the behavior of employees and making the culture of your organization security proactive.

About the Author

Theo Zafirakos, CISSP, Terranova CISO Coach, is a skilled professional experienced in the domain of information and cybersecurity. He is able to communicate well with all levels including C-suite, senior management, and technical staff, in identifying, evaluating, and managing information security risks in a manner that meets internal and regulatory requirements. He can provide subject matter expertise and thought leadership in all areas of information security for the creation and management of strategy, programs, governance, information risks, and compliance. Zafirakos is highly organized, analytical and motivated in resolving challenges and conflicts. He is responsible for all areas of information security for creation and management of strategy, programs, governance, information risk assessments, and compliance for Terranova and leads Terranova’s Professional Services team that helps clients implement and execute information security awareness programs with measurable results.