With human error consistently revealed as the cause or catalyst in 85% [i]of cyber security breaches, company employees often get the wrap for being at fault or labelled as “the weakest link”. Rather than blaming employees for doing something they shouldn’t, companies should consider the quality of cyber security education employees are getting and question if it is changing behaviour.
Cyber awareness training that is effective at changing behaviour can reduce organisations’ risk of cyber threats by 70%.
This is according to Isabel Adams, People Enablement Director at AVeS Cyber Security.
“It’s fair to say that there’s a human element in most cyber breaches. But it is not fair to leverage the blame entirely on users. The quality of cyber education, or lack thereof, is largely to blame. A lot of the time, company users unknowingly expose company networks and data when they use unauthorised apps, browse malicious websites, click on unsafe links in e-mails, respond to phishing e-mails or share information on social media. However, if they were trained well enough to truly understand how they are vulnerable and avoid the behaviours that could put them at risk, they wouldn’t have done it.”
Cyber awareness training tends to stop at awareness rather than working to change risky behaviours and instil a culture of cyber safety. Because cyber criminals are using emotional tactics and innovative vector attack methods, even with the most advanced and effective cyber security technology interventions in place, and some level of awareness training, the human element will remain a threat if there is no behavioural change. This can only happen with true understanding.
Adams says it’s important to bring it home that cyber safety and using internet resources and social media responsibly is not only about protecting company information and digital assets. It’s about protecting people too. Helping people understand that individuals are also targets of cyber attacks empowers them to instil responsible, cyber crime-wise behaviours to protect their own social media profiles, bank accounts and identities.
“Cyber awareness training can’t be an information dump of overwhelming content. It must be personal and relatable, or it will remain adversarial and the disconnect between awareness and behavioural change will prevail,” stresses Adams.
Awareness and applying critical thinking are the basics of cyber awareness. Knowing what phishing is and how to identify a fraudulent e-mail, or knowing that login credentials shouldn’t be shared, are foundational topics on which cyber-safe behaviours can be built.
Many companies have yet to get these basics in place. Cyber security awareness starts and ends with a poster on a wall or a list of security policies circulated by e-mail. In these scenarios, employees might have some awareness and know there are processes and policies to follow, but they don’t understand why, what to do or how their actions could impact the company or them as individuals.
Human error happens in several ways when there is a low perception of risks and roles. Skill-based errors happen when employees haven’t been shown the skills to identify scams or how not to respond to them. Other errors occur due to poor decision-making because they don’t understand the risks.
Cyber criminals go to great lengths to mask their scams and affect their attacks. They use inventive social engineering techniques to appeal to human emotions and trick people into giving away sensitive information, such as passwords and credit card numbers. Phishing is no longer an e-mail-only problem. It happens on social media, through phone calls, called vishing (the fraudulent practice of pretending to be from reputable companies to get people to reveal personal information), and through SMS, to name just a few.
“It’s easier for cyber criminals to ‘hack’ a human compared to attempting to break through technology. They’re efficient at gathering data on their targets. By combing through employees’ public social media profiles, they collect valuable data on a person’s interests, jobs and activities. Every social media post and photo may contain important data that threat actors could use for social engineering.
“Employees not only need to be aware of these tactics, but they also need to know how to guard their emotions and understand what actions to take or not to take. It goes back to behaviour and changing that which makes companies and people vulnerable. The mere fact that you received a phishing e-mail is not sinister. It’s what you choose to do with it that’s potentially dangerous.”
Adams concludes by saying that inculcating a cyber security culture can create a stronger defence against cyber threats than the most robust technologies or any single policy or procedure.
“Invest in proper training and embrace cyber security as a core business and personal value.”
October is Security Awareness Month, and AVeS Cyber Security will be hosting three one-hour cyber security awareness webinars, free of charge, on 4 October at 10am, 12 October at 10am and 19 October at 2pm. Contact info@aves.co.za for more information and to register.
[i] https://www.verizon.com/business/resources/reports/dbir/
Share