Employee behaviour is a critical factor when it comes to ensuring a safe working environment in which (information) security and ethical behaviour are central.
Cyberattacks currently rank as one of the top three business risks worldwide. As an organisation, you can take a range of technical and organisational measures to prevent cyber incidents and raise your employees’ security awareness. Yet employee behaviour is the determining factor. Together with your employees, Hoffmann studies their actual behaviour and then partners with them to implement any desired behavioural changes.
Cyber breaches are caused by employee negligence or malfeasance 66% of the time.”
Willis Towers Watson, 2017 Cyber Risk Survey
Your employee is a target for cybercriminals—ensure cybersecurity awareness
Wherever people work, there will be vulnerabilities. Cybercriminals readily take advantage of this by manipulating employees and obtaining their passwords, for example. How well is your organisation protected against this? In the above example, you have probably shown your employees how to create strong passwords and given them a few mnemonics for how to create strong passwords. But as you will see further on, it is not difficult for cybercriminals to figure out or obtain passwords by pretending to be a fellow employee, for example. As many as 70% of employees give their passwords to unknown ‘colleagues’ armed with a clever or convincing story.
Even when organisations have a strong security policy with security awareness training in place, rules often prove inadequate when it comes to ensuring cyber security. But security awareness training can be an important first step towards achieving the desired behaviour.
Rules prove inadequate
Security awareness training courses and training sessions are widely promoted as part of information security. While these are unquestionably helpful, they do not always guarantee cybersecure behaviour. Human error is still involved in 66% of cyber incidents. This is evident from studies conducted by Hoffmann’s security awareness specialists, among others.
give password to unknown ‘colleague’
do not pay attention to unknown visitor without pass
fill in data after clicking on phishing email
Security awareness training as a first step
Experience has shown that many organisations are looking for a way to give cybersecure behaviour the attention it deserves. It is not always clear whether everyone is actually speaking the same language, nor is it always clear what is expected of employees. For instance, what is the difference between information security and cybersecurity? It is important to explicitly formulate the desired behaviour. A security awareness training course serves as a starting point for discussing the behaviour that is desired and opens up opportunities for follow-up steps.
Our approach to security awareness training
During an interactive training session, a Hoffmann security awareness specialist will discuss the role of your employees’ own behaviour. We explore what awareness is and whether it is high enough. Do employees know what is expected of them? And if they do indeed know, why do they not always behave safely? Grey areas and dilemmas regarding cybersecure behaviour are discussed, alongside several strategies for dealing with them.
The objectives of the workshop
The objectives of the workshop are broadly formulated as follows:
During the workshop we:
- Establish a dialogue on the importance of cybersecure behaviour with regard to the risks faced by your own organisation;
- Address the topic of security awareness and why cybersecure behaviour is more than just awareness;
- Discuss potential grey areas and dilemmas related to cybersecure behaviour;
- Stress the importance of exploring the why behind (not) exhibiting the cybersecure behaviour;
- Conclude with tips to make it easier to exhibit the desired behaviour and thus trigger behavioural change;
- Explicitly ask what employees believe they need from the organisation to increase the likelihood of cybersecure behaviour.
From this security awareness training springboard, you can take the next step: Hoffmann’s behavioural programme.
The behavioural programme
Hoffmann’s behavioural programme helps you to arm employees against cybercriminals. This is because we not only offer a solution for greater awareness—we go a step further. We do this to effect real behavioural change. Our approach is grounded in psychology, which holds that behaviour is determined by a number of factors, of which awareness and knowledge are just two. Hoffmann identifies why this specific behaviour is absent and what you can do to address it concretely at the organisational, human and technical levels. The Hoffmann solution provides you with practical measures to implement immediate and sustained behavioural change.
- Behavioural insight into your information security vulnerabilities
- A clear improvement plan for organisation, people and technology
- Lasting behavioural change in your organisation
The Hoffmann 3x3 model
for safe behaviour
How do you ensure that your employees are both aware of dangers and actually act in a cybersecure manner? By dissecting behaviour into motivation, ability and opportunity, and looking for human, technical and organisational ways to change that behaviour. In short: by going beyond awareness. Watch the video about the Hoffmann 3x3 model, specially developed by psychologists, below.
Would you like to empower your employees by putting their behaviour at the heart of your business?
Read further or contact one of our specialists.
We work for these companies and organisations, among others:
What customers say about
Hoffmann's 3x3 model offered us an innovative approach when it came to increasing the cyber resilience of our employees. It is practical and gices us insights into how to improve cybersecure behaviour in the workplace. And that goes beyond mere awareness.”
HENK GROENINK, INFORMATION SECURITY OFFICER, HOLLAND CASINO
Three steps to desired security awareness behaviour
Step 1: Behavioural determination
What cybersecure behaviour do you want to see in your employees?
We map out the cybersecure behaviour you want to see in your employees. To change their behaviour, this behaviour must be clearly defined. Desirable behaviour may differ by job type.
- Definition of desired behaviour
- Specified per target group
Step 2: Behavioural analysis
Why are your employees not yet exhibiting cybersecure behaviour?
We investigate the reasons why employees do not display cybersecure behaviour. Our social psychologists investigate, in individual interviews with your employees, why the desired behaviour is not yet occurring.
- Individual interviews with employees
- Causes: motivation, ability and/or opportunity.
Step 3: Behavioural change
What can you do to bring about cybersecure behaviour?
Through 9 problem-solving approaches, we give you hands-on advice in terms of organisation, people and technology so that your employees start behaving in a cybersecure manner. For lasting behavioural change in your organisation.
- Concrete improvement plan
- Tailor-made training courses
Do you want to enhance your organisation’s resilience?
An ounce of prevention is better than a pound of cure.
Investing in security is a continuous process in which prevention is the primary objective. After all, an ounce of prevention is better, and cheaper, than a pound of cure. Hoffmann has lengthy experience in investigations in which employees were the cause of the problem. Therefore, prevention, with attention to the human factor, is key when it comes to avoiding (financial) losses. Behaviour is the domain of psychologists, just as technology is the domain of IT professionals. Our social psychologists work with you to increase your organisation’s resilience and take preventive action to effect the behavioural changes you desire. In this way, you make your people the strongest link in information security.