In recent years, we’ve seen well-known companies experience major cyber security breaches and large fines hit big brands. Given the potential for service disruption, reputational damage and huge cost (GDPR allows for fines of up to four per cent of global turnover) organisations face major repercussions when they fail in their cyber security.
In our experience, employees are responsible for most data breaches. They’re not necessarily malicious, but their security behaviour and the wider organisational culture make it possible for mistakes to happen.
Most organisations already have cyber security programmes in place to help improve employee awareness of cyber risks. Despite this, many employees develop poor cyber security habits in fast-paced workplaces. For example, employees often delay security software updates, enter weak passwords and fail to respond to security warnings.
So, how can organisations change employee behaviour to improve cyber security?
The answer lies in behavioural science. By introducing ingenious ‘cyber nudges’, companies are able to overcome employees’ bad habits. These nudges are design features engineered into digital environments to indirectly encourage good cyber habits at all levels of the organisation. They leverage behavioural insights to drive compliance without affecting functional activities or productivity.
How does this work in practice? Here are three practical examples of how ‘cyber nudges’ can positively impact cyber security habits:
As a leader, you’re frustrated by employees delaying the installation of security updates. People often get notifications for the updates at inconvenient times, such as during busy work periods or meetings. Employees know they’re important but prioritise their productivity.
By prompting people to pick a specific time to install the update that works for them (rather than simply giving them the option of ‘later’), it’s possible to nudge everyone towards secure behaviour.
People often go through their emails on autopilot, enjoying the incredible ease of use created by interface designers. But that means they keep clicking on malicious links in phishing emails without carefully considering their actions.
By embedding a small ‘hassle’ in the user experience, like using a pop-up make people consider whether a link or attachment is from a trusted source, people stop and think instead of acting on their first instinct. As a result, they become better at identifying malicious emails.
People often receive generic warnings in their digital environments, which can lead to ‘habituation’, where people become desensitised to repeat messages and begin to ignore them.
By building dynamic or animated warnings that create distinct experiences for users, we can minimise the effects of habituation. There’s also the potential to develop polymorphic warnings that change size, shape and orientation on the screen.
The key to success is to gain behavioural insights and build a deep understanding of your employees through user-centric questioning and observation. With this knowledge, you can then design creative nudges that don’t impact productivity before trialling them with employees to ensure their effectiveness. Finally, you can scale useful nudges across your organisation to steer people towards good cyber security habits.
External threats use behavioural insights and knowledge of cognitive biases to exploit our people, and we need to use even greater levels of ingenuity to counter these risks. If you’ve been wondering how to change employee behaviours, perhaps it’s time you gave them a nudge.