You may have picked up in some of the earlier posts in this series, but our approach to security is ongoing and holistic. We believe that a 'quick fix' style approach is invariably going to leave open vulnerabilities. However, we also believe that once you've started on the path to securing your organization, the best way to stay on that path is by establishing a culture of security within your organization.
Changes in behavior cannot be sustained by an organization’s culture without continuous reinforcement. For example, you can reduce the rate at which an employee clicks on a phishing email link to the low single digits from an initial 27% average percent level after training and repeated testing. However, “if you just leave that alone and never train them again, you’re going to see it creep back up for a couple reasons,” Carpenter warns.
First, the stimulus for reinforced behavioral patterns disappears once you take away the immediate feedback an employee gets when s/he successfully recognizes a simulated phishing attack. Second, on the organizational level, the natural churn of personnel as some people leave the organization while others join it translates to a smaller percentage of employees who have been trained rigorously in security awareness.
Then there is behavioral drift over time because nothing is being done to help employees sustain new habits they have learned regarding an approach to emails they receive. Think of seasonal circumstances that can push against an employee’s heightened security awareness and his resulting behavior.
For example, “I’m in retail. It’s the holiday season. I’m getting 300 more emails a day than I naturally would get, and I’m just trying to knock stuff out, so I’m naturally going to get a little more careless,” Carpenter says. In the retail world, holiday season lasts at least two months, from early November until New Year’s Day.
“Science says it takes 66 days to formulate a behavior or to change a behavior, so that two-month period I’m pushing on basically creating an entirely new habit,” he explains. “When January comes around after holiday season, my behavior has shifted to whatever the new norm was unless I was constantly training. And now this person is not thinking again as they open and answer emails.”
If you're interested in a discussion on how to implement a program that will let you train, test and support your employees, contact us today! We would be happy to learn more about your unique situation and help you improve your organization's security.