A global telecommunications firm strengthened their cybersecurity using BAD’s behavioural insights and creative interventions to reduce risks associated with human error. By uncovering the underlying behavioural barriers, and leveraging behavioural science, BAD helped the firm embed security focused habits into employees’ daily routines, reducing risky behaviours firmwide.
Global
Telecommunications
98,000
Our client is one of the world’s largest telecommunications companies, providing a range of mobile, broadband, and digital solutions to consumers and businesses worldwide. They employ roughly 98,000 people and provide voice, data, and enterprise services to millions of customers across multiple continents. They are known for their extensive network coverage, innovative technology solutions, and commitment to connectivity.
Telecommunications firms are at significant risk of cyber-attacks due to the critical services they provide and the vast amounts of sensitive data they handle. These attacks can take many forms from phishing attempts, ransomware, Distributed Denial of Service (DDoS) attacks and malware. Digital tools offer some protection, but don’t address the biggest risk – human behaviour. An IBM study found that human error was a major contributing cause in up to 95% of all data breaches. Employee behaviour accounts for the largest security risks through not consistently following safety protocols and falling victim to phishing attacks. With email threats increasing by more than 64% in 2020 and more people working remotely, it is becoming even more challenging to manage human risk.
A successful attack can cause widespread service disruption, data breaches and significant financial and reputational damage. In 2021, a large telecommunications firm suffered a data breach affecting over 40 million customers. The firm experienced significant reputation damage as well as $60m in fines.
With human error being the weakest link when it comes to cyber security, relying on training is not enough. Traditional training fails to consider the behavioural aspects to decision making ingrained habits. People will often revert to risky behaviours, particularly if they are under pressure and undertaking routine tasks.
Our client wanted to ‘make security behaviours a habit.’
Taking a behaviour-led approach allows us to create more effective, lasting impacts on security practices. It helps us embed security focused habits into daily routines, making them less susceptible to human error.
We needed to get to the root of the risky behaviours. We took an in-depth analytical approach, applying mixed methods comprising qualitative and quantitative research, while ensuring a representative sample of our client’s employees.
We uncovered that employees underestimated risks due to the availability heuristic and lacked clarity on specific actions required for security.
1. Availability heuristic
A heuristic is a bit like a mental shortcut or rule of thumb that our brains use to make decisions or solve problems faster and with less effort. It does this by just focusing on the most relevant information. While this reduces the time and energy required to make decisions, it can lead to errors and allowing biases to take over.
With the ‘availability heuristic’ specifically, we judge the likelihood of an event based on how easily examples of this event taking place come to mind. This means employees often underestimate risks because they cannot easily think of an instance of the event happening. (“I don’t know anyone who has been hacked so therefore it is unlikely to happen to me.”)
2. Lack of clarity around behaviours
Our research also showed that while employees had undergone training about risks and the consequences, they were still not fully clear on exactly what actions they needed to take and when, to meaningfully reduce risk.
A global telecommunications firm strengthened their cybersecurity using BAD’s behavioural insights and creative interventions to reduce risks associated with human error. By uncovering the underlying behavioural barriers, and leveraging behavioural science, BAD helped the firm embed security focused habits into employees’ daily routines, reducing risky behaviours firmwide.
A successful attack can cause widespread service disruption, data breaches and significant financial and reputational damage. In 2021, a large telecommunications firm suffered a data breach affecting over 40 million customers. The firm experienced significant reputation damage as well as $60m in fines.
With human error being the weakest link when it comes to cyber security, relying on training is not enough. Traditional training fails to consider the behavioural aspects to decision making ingrained habits. People will often revert to risky behaviours, particularly if they are under pressure and undertaking routine tasks.
Our client wanted to ‘make security behaviours a habit.’
Taking a behaviour-led approach allows us to create more effective, lasting impacts on security practices. It helps us embed security focused habits into daily routines, making them less susceptible to human error.
The intervention successfully recalibrated employees' risk perception and ingrained cybersecurity habits, leading to a reduction in risky behaviors and strengthening our client’s overall security position.