Fear of making mistakes or being judged by colleagues were among the top reasons employees at small to medium-sized businesses (SMBs) have not changed their cybersecurity behaviors, according to the results of a Kaspersky study.

The report also revealed concerns about inconvenience or time constraints (37%), lack of leadership support or enforcement (37%) and the fear of change or unfamiliarity (35%) as chief grounds for continuing with lax or potentially dangerous cybersecurity postures.

Respondents also said they only perceive the consequences of not following cybersecurity guidelines in their organization to have moderate consequences, which only somewhat influences their behavior (38%), indicating a critical lack of understanding between IT decision-makers and non IT employees.

Dave Martin, vice president of MDR at Ontinue, said the past year once again demonstrated that strong information security awareness within an organization is critical to preventing cyberattacks.

“An organization must develop a culture of ‘reporting without consequence’ to ensure employees feel safe and comfortable reporting suspicious activity,” he explained.

In addition to building this culture among employees, Martin said organizations must continuously monitor all potential attack surfaces.

John Hammond, principal security researcher at Huntress Labs, said the best effort organizations can make to drive behavioral changes from employees is simply awareness and education.

“We all acknowledge that might be a bit boring and trite, but if you foster a culture of security and really encourage personnel to not just practice cybersecurity hygiene but publicly call out bad practices, the message spreads,” he explained. “When everyone plays a part in security, proper guidelines and procedure just naturally get instilled into the team’s workflow.”

Hammond added that decision-makers must come to the table with the willingness to learn and fully understand what new security implementations require.

“That means due diligence, an open mind and, ultimately, investing time to dedicate to cybersecurity practices,” he said.

In the best-case scenario, an organization might have a testbed or a safe sandbox environment to test and tune new security mechanisms before rolling them out to production.

Hammond admitted that while it is not always easy to prepare that testing ground, if they work together with experts (security vendors themselves or trained engineers), it goes a long way toward lessening the fear and anxiety of making mistakes or getting something wrong.

He said it makes complete sense for perception to be a strong component of why organizations struggle to adjust their cybersecurity posture.

“After all, teams are made up of people—people leading people and working with people; all human beings with their own psyche and emotions,” he said.

When a decision is made to change something in the technology stack, the core structure the business and operation depend on, there is always a risk of making a mistake.

“Something can go wrong, and team members might have to deal with the aftermath,” he noted.

Petri Kuivala, CISO advisor at Hoxhunt, explained the human brain isn’t wired to adopt new behaviors following a long, scary sermon on safe email behavior.

“The brain’s wiring can be re-circuited, however, into secure behaviors by repeating a desired action at just the right level of difficulty enough times until it becomes a habit,” he said.

He recommends, for example, starting with phishing simulations and giving people the skills and confidence to recognize and report a social engineering attack.

“After they get a little kick of dopamine for doing the right thing, they crave repeating that behavior,” Kuivala pointed out. “Then you can slide in a micro-training that takes less than 90 seconds to complete and they’ll internalize the lesson. Rinse and repeat until the good cyber behavior becomes a habit.”

Hammond explained a tactic they use at Huntress—a fully remote organization—is to poke fun at bad phishing attempts or insecure practices.

“Say you got some silly spam email with the glaring typos and bad grammar with a link or file attachment–we share a screenshot in an org-wide Slack channel and laugh at the feeble attempt,” he said. “This is light-hearted fun, but it gets everyone in the company rallying around what’s good, bad, and ugly in the realm of cybersecurity.”

He noted that everyone can be better about their own practices because the culture shines the light on what not to do.

“Every organization likely gets those fake text messages or emails from someone masquerading as their CEO or leadership team,” he said. “Slap them into Teams and call it out.”