Cyber awareness learning – motivate and empower your employees
Blog posted by: Zoe Rose – Ethical Hacker, Rose Security, 12 November 2019.
How well prepared are organizations for the activities of cyber criminals in 2019?
Organizations want to feel their efforts have made a difference to answering the question “are we secure?” However, there is no perfect solution or ability to be 100% secure; the real aim is to lower the risk – it’s a balancing act.
The biggest challenge, in my opinion, is communication: the board may have little idea about what cyber security programmes do and technologists often don’t know how to translate cyber security into the language of business risk.
This “language barrier” has ended up with large gaps in how to prioritize protection measures. A great example is the Equifax cyber breach in 2017. According to a report in The Verge publication the company’s protocol involved “deploying a patch internally and scanning the system for any lingering vulnerability”.
Former Equifax CEO, Richard Smith, told the US Congress that “Both the human deployment of the patch and the scanning deployment did not work.”
He essentially blamed one person for not patching a system. However, as the company’s data was clearly of high value to cyber criminals, the real priority should have been architecting a solution to protect the data, whether patched or not, to minimise impact to consumers.
Motivating cyber awareness
Organizations need to empower people to understand cyber attacks and improve their ability to respond. Critically, awareness training shouldn’t be only compliance-driven and definitely not about punishing people. It’s important to address the way your audience is motivated and increase awareness among employees by using the principles of gamification; for example, find the right balance for extrinsic and intrinsic motivations.
Building cyber resilient organizations needs to focus on solutions that work for people and communication programmes to help them understand.
The cyber criminal: a profile
Cyber criminals recognize a gap in “the market” to build their “business”. As organizations have their version of a risk assessment, so do malicious actors: will this benefit them, with low effort and high return?
They are, regrettably, professionals at this and minimal effort often involves searching publicly available information online, playing off of human behaviour and security flaws.
Consequently, cyber breaches are infrequently sophisticated attacks. Instead, they profit from phishing emails, improperly secured accounts, weak passwords, social engineering and exploiting human weakness.
In targeting people, they choose a method that will increase the chance of clicking a link. For example, their approach may be:
- Pretending to be a school notifying a parent of an incident with their child; the parent is unlikely to suspect it’s a suspicious link or attachment.
- Trying to break passwords based on information about an individual that could reveal habitual patterns of behaviour.
- Appearing legitimate by sending an invoice from an organization a person is likely to trust.
Whilst obtaining information online is easy, getting information from people directly is even easier. For example, talking to someone on a flight; it’s amazing what people will tell you and without even considering the questioner’s intentions might not be ethical.
An organizational approach
Tackling cyber criminals involves working with human behaviour and motivating people to care about why they are learning about cyber security. Cyber security is people, process, technology – but people first for a reason.
Personally, I have also found it helpful to focus on personal as well as professional security, by offering ways to protect employees and their families at home; bringing the risk closer to home and feeling a sense of empowerment by mastering new skills.
Teaching people how easy it is to create a phishing campaign, for example, demystifies the assumption that it’s a complex process and helps them to identify the threats without simply being told “don’t click links”. Scaring people into a response actually weakens their effectiveness.
Ultimately, it’s about humans building solutions to address human attacks – and if you are more difficult to attack, the majority of the time, cyber criminals will soon move to another target.
Latest News from
Structuring project contracts with PRINCE2 Agile06/12/2019 10:20:00
Blog posted by: Allan Thomson – PPM Product Ambassador, AXELOS, 04 December 2019.
PRINCE2 Foundation and Practitioner: from knowledge to practical application04/12/2019 09:20:00
Blog posted by: Julia Gosse – Director, Gosway Limited, 03 December 2019.
Directing successful projects with PRINCE202/12/2019 10:20:00
Blog posted by: Allan Thomson, PPM Product Ambassador, AXELOS, 29 November 2019.
ITIL 4 Managing Professional: agility and structure for the real world29/11/2019 10:20:00
Blog posted by: Paul Jones – ITIL 4 Expert, Serco, 28 November 2019.
AIPM National Conference 2019 – A Review27/11/2019 10:20:00
Blog posted by: Tom Lynam – AXELOS Territory Brand Manager, 26 November 2019.
ITIL 4 Strategist – Direct, Plan and Improve: combining strategy and execution22/11/2019 13:10:00
Blog posted by: Lou Hunnebeck – Principal Advisor, DXC Technology, A Lead Architect of ITIL 4 Foundation and Lead Editor of ITIL 4 DPI, 22 November 2019.
From mucky to green: Moving from legacy IT to digital transformation21/11/2019 12:10:00
Blog posted by: Karen Brusch and Neil Robinson – Service Design Consultants, 20 November 2019.
Why quality data will always be the foundation of Artificial Intelligence20/11/2019 10:20:00
Blog posted by: Danny Liston – Senior Associate, Ontoit, 19 November 2019.