Blog · 10 Oct 2017

Carrot or stick - which is best for security awareness?

When it comes to cyber security training, which do you think is more effective, the carrot or the stick?

Head of commercial development, penetration testing

The weakest link

As it’s National Cyber Security Awareness Month in the US, I thought it an appropriate time to discuss one of the security sector’s most pressing concerns — the role of the employee in keeping your company secure.

We know that people can be the weakest link in the security chain — clicking that all-too-tempting prize-winning hyperlink on an email; leaving the fire-exit propped open for the pizza to be delivered during a night shift; revealing state secrets to your fellow passengers during the journey home. When it comes to cyber security, you could say that employees are a bit like toddlers — they need constant supervision.

But here’s the thing, with a little work, they can actually be your greatest security asset. If your employees instantly recognise the danger when a phish gets through your technology, you’re ahead of the game.

The question is, how do you get them to that point? How do you turn your employees from security liabilities, into lightning-sharp threat spotters?

The carrot or the stick?

In a recent BT and KPMG report, Paul Wood, Chief Risk and Compliance Officer at Bloomberg, takes an interesting stance: “How rigorously do you deal with employees who don’t take security seriously? There must be real consequences.”

But does a ‘stick’, or punishment, approach really work? I’d say it’s very unlikely. Unless the employee understands the real consequences to the business, they won’t make the effort to change their ways. It’s the “why should I bother?” question, that lurks in the shadows.

Whilst the CISO might be well versed in articulating the impact of a security breach on the share price to the board, does the person on the shop floor (possibly the unintentional perpetrator of the malware infection) understand what those consequences mean to them?

A lot of managers still struggle to ‘sell’ the benefits of security training by failing to bring the consequences of a cyber attack to life. We continue to see people mandated to attend awareness courses without any engagement or real understanding of why it matters to them.

But that doesn’t make awareness programmes redundant. When done right, they can change people’s behaviour, workplace culture and have the potential to really make a material difference.

Final verdict

More positive outcomes can be seen when security awareness training is positioned in the right way. Steven Wilson, Head of Business, European Cybercrime Centre, Europol, explains that: “There is a significant benefit obtainable where investing in staff education is undertaken but explaining it as a benefit to their home life and that of their families and children. People buy into this free personal education much more readily than another compulsory work policy.”

So, if you were to ask which was better, the carrot or the stick? I’d say it’s a no-brainer to reward good behaviours, invest in people, train them, and create processes which change how they behave. But this is typically not where money is being spent. Steven Wilson goes on to say that he routinely sees companies investing in technical solutions while neglecting the human aspect.

Employees are still one of the best ways of detecting attacks, so it’s vital we invest in them. They need to know how they might be targeted. And this has to be part of an on-going process, not a one-off. Carrot and stick probably both have their place, but remember, we’re talking toddlers here, so I’d be tempted to try the carrot first.