In order to change staff behavior and improve their cybersecurity culture, cybersecurity specialists from MIT Sloan (CAMS) employed novel methods in Yahoo in order to study and correct their staff behavior, especially when no one controls them. The following specialists were engaged: hackers testing cybersecurity systems, IT specialists responsible for the company security, and behavioral engineers. The research team simulated phishing attacks in order to reveal weak points in the security system.
Based on the research managers were offered steps to help improve the corporate cybersecurity culture.
Not only should senior managers inform staff about security rules, but also make sure necessary actions become a habit. For example, it is important to help employees build a habit to use a corporate password dispatcher when renewing log ins and passwords, because the dispatcher recognizes websites stealing account data. These actions must be taken whether or not they are controlled by the security team.
It was suggested that the company staff learns to detect suspicious websites and malware, being rewarded by bonuses and prizes.
Employees must notify about all facts when any website demands account data without making a decision on their own about the safety of such action.
As a result of the experiment a two-fold decrease in data leaks within a year was observed, along with almost twice more phishing attacks prevented. Employees began to use the company password dispatcher three times more often.
All this helped optimize the corporate cybersecurity system and improve the staff cyberculture.