A global telecommunications firm strengthened their cybersecurity using BAD’s behavioural insights and creative interventions to reduce risks associated with human error. By uncovering the underlying behavioural barriers, and leveraging behavioural science, BAD helped the firm embed security focused habits into employees’ daily routines, reducing risky behaviours firmwide.
Global
Telecommunications
98,000
Our client is one of the world’s largest telecommunications companies, providing a range of mobile, broadband, and digital solutions to consumers and businesses worldwide. They employ roughly 98,000 people and provide voice, data, and enterprise services to millions of customers across multiple continents. They are known for their extensive network coverage, innovative technology solutions, and commitment to connectivity.
Telecommunications firms are at significant risk of cyber-attacks due to the critical services they provide and the vast amounts of sensitive data they handle. These attacks can take many forms from phishing attempts, ransomware, Distributed Denial of Service (DDoS) attacks and malware. Digital tools offer some protection, but don’t address the biggest risk – human behaviour. An IBM study found that human error was a major contributing cause in up to 95% of all data breaches. Employee behaviour accounts for the largest security risks through not consistently following safety protocols and falling victim to phishing attacks. With email threats increasing by more than 64% in 2020 and more people working remotely, it is becoming even more challenging to manage human risk.
A successful attack can cause widespread service disruption, data breaches and significant financial and reputational damage. In 2021, a large telecommunications firm suffered a data breach affecting over 40 million customers. The firm experienced significant reputation damage as well as $60m in fines.
With human error being the weakest link when it comes to cyber security, relying on training is not enough. Traditional training fails to consider the behavioural aspects to decision making ingrained habits. People will often revert to risky behaviours, particularly if they are under pressure and undertaking routine tasks.
Our client wanted to ‘make security behaviours a habit.’
Taking a behaviour-led approach allows us to create more effective, lasting impacts on security practices. It helps us embed security focused habits into daily routines, making them less susceptible to human error.
We needed to get to the root of the risky behaviours. We took an in-depth analytical approach, applying mixed methods comprising qualitative and quantitative research, while ensuring a representative sample of our client’s employees.
We uncovered that employees underestimated risks due to the availability heuristic and lacked clarity on specific actions required for security.
1. Availability heuristic
A heuristic is a bit like a mental shortcut or rule of thumb that our brains use to make decisions or solve problems faster and with less effort. It does this by just focusing on the most relevant information. While this reduces the time and energy required to make decisions, it can lead to errors and allowing biases to take over.
With the ‘availability heuristic’ specifically, we judge the likelihood of an event based on how easily examples of this event taking place come to mind. This means employees often underestimate risks because they cannot easily think of an instance of the event happening. (“I don’t know anyone who has been hacked so therefore it is unlikely to happen to me.”)
2. Lack of clarity around behaviours
Our research also showed that while employees had undergone training about risks and the consequences, they were still not fully clear on exactly what actions they needed to take and when, to meaningfully reduce risk.
Utilising all this insight, we worked with our client to develop an evidence-based, targeted intervention to influence behaviours and embed better habits. We reframed the challenges through a behavioural science lens to identify the most effective behaviour change techniques and used created design to implement these in the most engaging way.
Combatting the availability heuristic
To work with the availability heuristic, we used authentic storytelling to make cyber threats more relatable. People typically remember more from stories than from facts alone due to greater personal connection and emotional relevance (Lordly, 200&). Using real stories from real people that employees can relate to, increases the connection in their memory, enhancing their perception of risk and bringing it more readily to mind.
We also created key points and activities to encourage self-reflection, helping employees identify areas where they are personally more susceptible to risky behaviours – ie password security.
Clarifying behaviours and embedding better habits
To embed better habits and make it clear and easy for employees to carry out more risk conscious behaviours, we used techniques such as habit stacking. By building associations between existing habits and new behaviours, existing habits can become a cue for the new behaviour (Fogg, 2019; Judah, Gardner & Aunger, 2013). The intervention was designed to mimic an employees’ average day, to help identify where new behaviours could be easily implemented and associate these new behaviours with existing everyday habits and routines.
As people pay more attention to and are more likely to act on information that is prominent, we used design techniques to make the most important behaviours salient, through elements such as ‘Stop and Think’ screens.
The intervention successfully recalibrated employees' risk perception and ingrained cybersecurity habits, leading to a reduction in risky behaviors and strengthening our client’s overall security position.
We'd love to explore the potential for behavioural science to inspire positive change within your organisation.