Tackling retail cybersecurity threats with human-centric behavioral change – Security Magazine

Image via Freepik
Digital adoption rocketed a decade in the months during the COVID-19 pandemic, accelerating the shift to digital commerce that began in the 2010s. According to recent research, the pandemic-driven boost to e-commerce is estimated to have exceeded $200 billion in 2020 and 2021.

As a result, the retail industry has become an even higher target for cybercrime. In 2021, ransomware attacks on retailers rose 75% as U.S. consumers spent a record-breaking $1.7 trillion online in the same year.

With wide repositories of customer data and Personal Identifiable Information (PII), a successful attack on a retailer yields a significant return for a cyber attacker. Guess, Neiman Marcus and CVS Health are among the global household brands targeted and exploited by malicious actors in recent times.  

As company boards and executives look to mitigate their risk of such attacks and thus begin advocating for increased spend on best-in-breed solutions, rich in automation and artificial intelligence, many fail to recognize that it’s people who still serve as the first line of defense. For retail organizations, in particular, phishing emails and social engineering continue to dominate as the most common delivery systems of attack. Given this, retailers and those in other industries could benefit from taking a more human-centric approach to address their security issues. 

Security Awareness and Training (SA&T) was the most common course of action an organization would implement when working to establish more robust human defense mechanisms. Awareness training can help reduce human error and promote cross-collaboration between security teams and other organizational departments. However, these legacy security awareness programs are no longer effective, as evidenced by the fact that the human element continues to feature heavily in most breaches. 

A recent Forrester Wave report explored the importance of “ABCs: Awareness, behavior, and culture” as a means to better protect against rising threats. To reduce human risk, it starts with instilling positive behavioral change among employees and ultimately altering their perceptions and attitude towards security and risk. This can be achieved in a number of ways.  
On average retail workers receive nearly 50 malicious phishing emails each year. Many opportunities for an employee to mistakenly view an email as legitimate and enable an attacker to successfully penetrate into their network. With attackers increasing the frequency and scale of their email stimulations, so too should organizations. Infrequent, mass security and phishing tests, which are sent out simultaneously to all employees, fail to positively enhance security posture and change behaviors.

The problem — these don’t catch employees by surprise. They’re expected and employees react accordingly. Instead, organizations should opt to send frequent, unique types of stimulations on varying days and times. When employees get used to simulated attacks frequently, the issue stays top of mind. Repeating this over a period of time shapes new cybersecurity habits among employees. 
Gamified learning is another critical component of achieving high engagement, a critical aspect of achieving lasting behavioral changes. Incorporating gamification can transform employee mindsets and result in the detection and resolution of the most sophisticated attacks.

By stimulating vulnerabilities in controlled, gamified environments, organizations can put their employees’ skills to the test and practice reducing risks in real time. It puts users in the mind of real attackers and leads to a better understanding of how to detect the most malicious attacks. In practice, it also results in an increased volume of employees reporting suspicious activity to security teams, rather than simply deleting or ignoring it. 
It is crucial to prepare employees for every type of threat. From phishing to authority impersonation and invoicing scams —  the list continues to grow. Ensure that the training provided addresses both the role and skill level of each individual trainee. Personalization is key to achieving lasting cybersecurity behavioral changes. Begin to understand the most common threats and risks (both existing and future) applicable to each business area. For example, the HR function has different security challenges than sales. Putting this contextual information in play to create highly personalized programs for each person in each business segment.  

Adopt a micro-training model and create short, easy-to-digest content to achieve high impact. For behavioral change, brevity is your best friend. Think TikTok for security training. 

In addition, consider each employee’s skillset. Start small with easy tests, then gradually advance difficulty. The right amount of difficulty along each employee’s personalized learning path will keep them engaged and interested, which will challenge and activate them to think critically. 
Even with incorporating all of the above, without positive reinforcement during training, an organization will fail to achieve desired results. When training is positive, employees become more eager to participate in developing their skills and reporting threats. Feedback and recognition are important factors within this.

When a trainee successfully detects a threat, have a system in place that provides recognition. Also, give personalized feedback. If an employee fails to eliminate a threat completely but shows a positive response throughout the process, acknowledge it.  

Achieving noticeable behavioral changes takes time, effort and dedication. Challenging the notion that people are the weakest link in organizations and adopting behavioral change platforms will create a strong human detection engine, one of the most impactful ways to lower organizational risk. 
Subscribe to Security Magazine

Mika Aalto is CEO and co-founder at Hoxhunt, a cybersecurity awareness company.
You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.
Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company. Interested in participating in our Sponsored Content section? Contact your local rep.
Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe. 
Push-to-Talk over Cellular (PoC) is today’s Nextel radio network with nationwide voice, text, and video calling that can be quickly deployed with no infrastructure costs.
 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 
Copyright ©2022. All Rights Reserved BNP Media.
Design, CMS, Hosting & Web Development :: ePublishing



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page