All too often, measures addressing cybersecurity revolve around technology such as firewalls or intrusion detection systems. Yet that leaves out one of the most fearsome weapons entirely: people themselves. Employees are not only the target of practically every professional cyber-attack. They can also be an effective protective wall and early-warning system simultaneously—provided that the company has put a focus on the corresponding training.
The good news is that targeted phishing attacks, which have been known about for years, remain the most popular means adopted by professional attackers. The bad news? Targeted phishing attacks, which have been known about for years, remain the most popular means adopted by professional attackers. Although the pattern of attack (attackers sending e-mails with a link to a presumed legitimate, but toxic login page to potential victims, thereby trawling for usernames and passwords) has been known about for years, it still operates in the same way. According to Symantec (Internet Security Threat Report 2018), spear phishing was the intruder’s tool of choice in 71 per cent of all successful attacks. According to Verizon Business, stolen log-in data was responsible for fully 635 of the 1800 successful attacks investigated.
So employees are evidently the number 1 target. Accordingly, they should also be made the number 1 defensive measure. Through training, but also through a corporate culture that might need certain adjustments. That culture may still be focussing on the—regrettably still encountered—bad habit of giving formal warnings to employees for cyber-mistakes, or even of dismissing them. As, for instance, in the case of the accountant for a retail chain who was tricked by cyber-fraudsters into transferring a large sum of money to them. However annoying that was for the company, serving notice on her is surely the wrong approach. It would have been better to give training where employees are familiarised with the respectively-current modus operandi of the cyber-underground – thereby preventing them from becoming victims in the first place.
In a corporate culture that takes a positive approach to the subject of cybersecurity, suitably well-informed employees then become an early-warning system: the earlier the company’s cybersecurity experts learn about incoming phishing e-mails or about a click on a toxic link, the more effective their measures are: blocking the user account in question, preventing further access to the phishing site, researching which colleagues have received similar e-mails, and so on.
The form of the cybersecurity training, too, has a decisive influence on how long-lived it is. So how about an attended event where an expert gives a lively presentation on how the cyber-underground goes about its business, or on the often-mystified dark web, so that the audience can then better imagine themselves in the mind-set and ways of working of the criminals? Elements of gamification are also effective: employees who are informed about phishing, the use of password management software or the correct behaviour when accessing the internet while travelling as part of a short course are significantly less often taken in by criminals. The longevity of such game-based engagement with these issues is very likely to be greater than from some crudely-implemented anti-phishing training together with a subsequent, probably generalised e-learning measure.
The fact that such presentations or learning games also engage the ‘private person’ in the employee is a desirable side-effect: if colleagues “take something home” from the presentation, the training or the cyber role-play, they associate cybersecurity in the company with something positive. Moreover, employees who also keep in good shape when it comes to cybersecurity in their private life are more powerful than employees who are only given occasional inputs of information, restricted just to their professional activity. Maybe top management could even see its way to releasing the password management software provided by the company expressly for private use as well, thereby also raising the security level of employees’ private online accounts? This is likely to ensure greater motivation in dealing with cyber-risks than the fear of formal warnings or dull online training.