The human factor is typically seen as the “weakest link” in cyber security risk, an approach suggesting that cyber threats can be mitigated by focusing on the behavior of end-users rather than the way information systems are designed. But in which ways can people be influenced into “behaving more cyber secure” and what is the role of leadership in establishing a cyber culture in shipping?
Digitalization has been a significant enabler of the world economy to keep going amid pandemic, but has also spurred an increase in cyber incidents, putting cyber risk at the top of global risks globally, according to World Economic Forum. At the same time, the cybersecurity world grows more complex, with cyber-attacks becoming more disruptive, targeting critical infrastructure, core public services, vulnerable communities and personal privacy. A 2018 report by Ponemon estimated the average cost of a data breach at about $3.86 million. For Maersk, the cost of NotPetya cyber-attack in 2017 was $300 million.
Cyber risk commonly refers to any risk of financial loss, reputation damage or disruption of operations of an organization resulting from the failure of its IT systems. In shipping, a sector particularly vulnerable in cyber security, cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised, according to IMO.
The human factor in cyber security risk, also seen often as ‘insider threat’ is a major problem, with a 2020 report by cyber security insiders saying that 68% of organizations feel “moderately to extremely vulnerable” to insider threats. Another report by IBM and the Ponemon Institute indicated human error as a key factor for almost 25% of all data breaches that took place from July 2018 to April 2019.
6 behaviors that indicate poor cyber hygiene at the workplace
- Use of company’s devices at home;
- The “Bring Your Own Device (BYOD) in the workplace” trend;
- Neglecting the systematic and regular update of passwords;
- Neglecting annual review of company’s cyber security policy;
- Allowing public building access without the use of an ID card;
- Employees using computers to access bank accounts or initiate money transfers.
Why is human a vital asset to cyber security?
But while ‘human factor’ has been recognized as the weakest link in creating secure digital environments, it is only the human brain which has the unique ability to interpret alerts and process multiple inputs that may indicate something is wrong. They say, ‘human is the machine’, which attempts to explain the role of humans in the world of automation. While machine learning gains an increasingly supportive role in working tasks, shipping jobs rely on innately human skills explained by the “Four Cs”: Critical thinking, Communication, Collaboration, and Creativity.
In the meantime, it is often forgotten that organizational values are led by efficient leadership. It is not uncommon for business leaders to renounce their responsibility of cyber security believing it is more of an IT department issue. A main component of cyber hygiene in an organization lies in the ability of the senior executives to establish cyber security as an important part of the organizational culture.
4 steps of behavioral change in cyber security: Tips for business leaders
Training employees is not an easy step in the procedure of transforming cyber behavior. Unlike to infrequent cyber security awareness trainings, which can be overwhelming offering a wide range of information at once, behavior change training is the best way to mitigate employees-related cyber risk, as this means that they know what to do when they see a threat.
#1 Test what people know: Before everyone becomes aware and cautious of the transformation efforts in cyber security, conducting a test for measuring people’s level of awareness can be very useful. For example, do they become cautious when receiving a phishing-looking email? How do they handle it? Do they report it? However, it is of critical importance for employees’ wellbeing to make clear to all sides that this is not a rewarding or a punitive process, it is just a test to test the level of awareness within the company.
#2 Information-sharing: This is the stage where business leaders share the feedback from the above simulation and, in general, any information that can help employees become aware and understand the importance of the changes required in cyber security. In this stage, convincing employees of the need for change is at the center.
#3 Time for cyber security training: Instilling the desired cyber attitudes to employees is not a simple task; it rather requires a great deal of time and energy. Tangible tools like information bulletins and posters, or games and contests between departments, constitute a both entertaining and educative way of encouraging your employees to take charge of their own learning.
#4 Measuring progress: In every learning procedure, as well as unlearning and relearning, measuring the progress made is vital. What have they learned? What area requires more focus on? What could have been done differently in the training? What areas still require improvement?