The Future of Cyber Awareness: Staying Ahead of Emerging Threats
From advanced malware to modern phishing schemes, cybercriminals are continually developing new methods to exploit human vulnerabilities. Thankfully,...
The US State of Cybercrime Report found that a third of participants suffered an insider incident and most of those proved more costly than those perpetrated by someone outside the organization. Most of these cyber security breaches happened because an employee acted on a fraudulent email.
In the first nine months of last year, 15 million new strains of malware were found. Even frequent releases of virus checker software won’t catch that amount. Additionally, 11 million of the 45 million emails that Mimecast checked for email security passed the test, meaning that it was up to the employees to make sure they didn't click on a dubious link or download an executable binary file.
But relying on staff as the last line of defense isn’t necessarily a good idea. Some surveys have found that only a fifth of staff attended any form of cybersecurity training and a quarter didn’t know if their company had a cybersecurity policy.
No business has the capacity, time, or money to stay on top of all vulnerabilities or threats. For most, nurturing a workplace culture that is security-aware is a much better answer. This human firewall can learn and adapt quickly.
Training content is built around the main cyber threats – as outlined in our last post but the challenge is getting the message across.
Anyone who works in regulated industries will be familiar with the monthly or quarterly cycle of required reading, which, if not completed on time, requires a humbling visit to a senior manager. All stick and no carrot has the desired effect of making sure everyone is kept aware of the latest changes to regulations or business processes, but how much of that knowledge lasts beyond the end of the week?
The staff has heard it all before, content delivery is stale and the whole thing becomes a tick-box exercise.
So, if what we’re doing now isn’t working, what’s the alternative?
A better approach is using something that’s drip-fed, repetitive, fun, engaging and has some personal value for your employees. That way, you’re more likely to get a behavior change that becomes embedded in the organization.
The Human Firewall is built through a continuous cycle that helps employees and the organization think securely:
Behavior is changed through using content that employees can relate to on a personal level.
Everyone understands the ramifications of having a purse or wallet stolen, especially if it contains a scribbled note that contains a list of PINs as an aide-memoire. Or if one of the kids downloads a game that wipes the hard disk and leaves mum the job of rebuilding the whole computer over the weekend. Make the connection between that personal pain and the pain the company will experience if they have to lay off staff because they lose a major customer.
Employee out-of-hours activities revolve around entertainment like social media, online videos, games, and so on. So why distinguish between office and sofa? If you want to make it memorable, make it fun, fresh, and remarkable. Game-playing is inherently memorable, engaging, and fun and is fast emerging as a modern training tool. A survey by McAfee found that 96% of companies using it have seen benefits including improved teamwork and increased knowledge. And thirty seconds of fast-paced, energetic video will beat pages of dry text.
Brevity is the soul of wit, so keep it short. Long, arduous training sessions are boring and unnecessary. Drip feed the content and avoid the rush to meet a deadline. Use tools for learning on the move to let employees make the most of time spent traveling.
One size doesn’t necessarily fit all, so segment staff by job role. Content for employees who regularly have access to classified information or high-profile customers will be different from those who don’t. And time-pressed senior managers need a different set of content altogether.
Don’t forget sub-contractors or temporary staff either. A survey by IDC found that activities by third parties were often the cause of breaches or major incidents.
While the stakes are high and the stories about cyberattacks depressing, you can choose how your business responds. The language that is upbeat and positive is a better tone and is more likely to encourage employees to report any issues they find.
Cybersecurity training isn’t a one-time exercise. Content needs to adapt to reflect new threats and success should be measured to find areas for improvement. Phishing tests are useful, given how common a threat it is, just don’t turn them into punishment sessions.
With good planning and careful execution, forward-thinking businesses can turn the ‘insider threat’ into a business advantage to help avoid the pain and disruption of a cyberattack.
From advanced malware to modern phishing schemes, cybercriminals are continually developing new methods to exploit human vulnerabilities. Thankfully,...
4 min read
What are the recent trends in cyber security, risks, and strategy?What will be the new trend in cybersecurity?What are the latest trends in...
4 min read
Stay Safe on Black Friday and Cyber Monday
5 min read