Not a day goes by without another cyber breach hitting the news. Recently, we’ve seen breaches impact corporations, individuals and our political systems:
- €53 million stolen from an aerospace parts manufacturer via a phishing scam;
- The US elections potentially influenced following a hack on the Democratic National Committee;
- 1.5 billion individual’s data stolen from Yahoo in two enormous breaches.
As the number of cyber-attacks increases, so does the potential negative impact to every one of us.
If we are to reduce the frequency and volume of cyber breaches and the impact they have, then we are going to need to do more to tackle the human aspect of cyber security.
The causes of these incidents may all be different, however, analysis shows that human actions are overwhelmingly at the heart of the vulnerabilities, and that attackers are actively seeking to exploit our human weaknesses to compromise target systems. Often, this is through an employee being tricked using social engineering. For example, up to 91% of cyber-attacks begin with a phishing or spear phishing email. If we can reduce our susceptibility to these attack methods, it will significantly improve our cyber security.
The act of phishing is aimed at trying to solicit a response from a person or group of people via mediums such as:
- Text (also known as ‘smishing’)
- Phone calls / voicemails (also known as ‘vishing’)
- Social media, or
- A combination of some or all the above.
The reason why this form of attack is so successful is because the structure and content of these communications are specifically designed to prey on basic human behaviours that we all exhibit. They borrow from the same techniques that people have used for centuries to try and influence others, either consciously or unconsciously.
Some examples of the techniques include:
- An urgent request
- Instruction from someone in authority
- Appealing to your compassion
If the subject matter is compelling enough, it can be hard to resist the urge to carry out the attacker’s request.
Susceptible as we may be to our emotional responses, all is not lost. We are adept at assessing and understanding potential threats or risks. However, how people perceive threats can be subjective based on their personal circumstances and the relevance of a threat to them. If we don’t appreciate the likelihood of a threat happening, then we’re less likely to adjust our behaviour. This is one of the challenges of tackling threats such as phishing: We don’t see a simple everyday task such as opening and responding to emails as being a threat.
To address this, there needs to be a greater understanding of what the threat is, how it could affect us or the company, how we can help to stop it, and most importantly to feel like we have an active part to play. It’s this feeling of responsibility, i.e. an emotional response that decides whether staff is an active part of your cyber defences or rather part of the vulnerability. Once you have that basic principle instilled, how do you ensure you have the right awareness programme in place to affect real changes to your staff’s behaviours? There are some basic principles that can be used to help in this regard.
- Whatever learning you provide needs to be measurable so you can identify what works and what doesn’t. Be willing to take on feedback from your staff and change your approach accordingly.
- This is also where ethical phishing campaigns, if tailored to suit your organisation and carried out correctly can have a huge benefit.
- By sending staff an initial ethical phishing email to attain a baseline at the outset, you can then follow up regularly with both ‘all staff’ campaigns and specific teams (spear Phishing) or individuals (Whaling) based on the risks you face. This will provide you with insights into the effectiveness of your training.
Regular and concise
- Delivering a 1 hour session once a year won’t have a positive impact, or change behaviours for the better. The awareness learning content should be delivered in short modules of ideally 1-2 minutes but less than 10 minutes.
- Small nuggets of information that people can consume frequently without it affecting their productivity but will allow them to internalise the key messages.
Adaptive, personalised and appropriate
- The content should use understandable language and be relevant to the audience. People won’t engage in the learning if they don’t understand how the concept or the scenarios it is portraying are relevant to them or their role.
- The learning should be tailored based on staff role, knowledge and skill levels. Consider short quizzes prior to assigning learning content for staff to complete. This will enable you and the staff to see if they already have the requisite knowledge in one area and allow them to focus their learning on areas in which they are less proficient.
Utilise different learning formats
- Different people learn in different ways and at different speeds. This needs to be allowed for with different content types and delivery methods to provide accelerated learning.
- Consider content such as videos, animations, games, simulations blended with traditional Learning.
- Blend electronic learning with physical delivery mediums and communications such as lunch and learns, posters and other rich graphical content identifying the highest risks and threats. Specific breakout sessions with guest speakers work well too. The subject areas here can cover non-corporate areas of focus such as securing your Facebook profile or guidance around online shopping. By making some aspects of the subjects relevant to people in their personal lives, they’ll be more likely to adopt those good behaviours in their corporate lives.
Try to make it engaging, competitive and enjoyable
- This is where the real behaviour changes can happen because if people enjoy something, they’re much more likely to remember it.
- Consider using incentives and rewards. This can be anything from utilising points and leader boards to encourage competition to providing a sense of achievement or status. Recognition via benefits can be used too, such as small pay awards for those with the budget although non-financial incentives such additional annual leave or specific mentions on their annual appraisals can work just as well.
A good approach is to start out in a single risk area such as phishing and grow it over time to include other areas such as password security, social media, information handling and other relevant subjects.
Ultimately, your staff can be one of your strongest defences against cyber-attacks. However, for you to make the most of this potential, your staff will need to:
- Feel it’s their responsibility to understand the threats and protect the company.
- Feel confident they’ve had the necessary training to know what to look for in a potential attack.
- Be vigilant in spotting attempted attacks.
- Be diligent in reporting anything suspicious.
Technology will always be the first line of defence and is incredibly valuable in protecting your organisation but there will be times when the attackers get through. Then your staff are your last line of defence. Only once you have a cyber aware workforce with a security culture embedded within your organisation, can you be confident in your ability to be resilient to the cyber threats you face.
This article first appeared in the February 2017 edition of Cyber World.