THE HUMAN FIREWALL
It is quite common to read news about cyber-attacks causing huge data breaches, businesses suffering irreparable harm, and countries targeting each other in cyberspace. Such articles encourage us to imagine sophisticated hackers, employing state of the art technologies. We also start to feel apathy set in - there’s nothing much we can do!
If you study credible public reports and expert analysis on cybersecurity incidents, you’ll discover this startling fact: approximately seven out of ten security incidents occur due to human error and behaviour, not complicated technical attacks.
Again, let that number sink in, seven out of ten! Even those attacks that are described as “sophisticated” end up having human mistakes, such as falling for phishing attacks, at their core. Cyber security, then, is fundamentally a human issue, not a technology issue. It requires a process of communication that is focused on connecting and resonating with humans.
WHY IS THIS THE CASE
As technology has evolved rapidly, cyber security tools such as firewalls, anti-malware software, email protection solutions, and a host of other things have also improved significantly. This means that it has become much harder for hackers to bypass protective security technologies. To counter this, hackers figured out that it was a lot easier, cheaper, and worthwhile to target humans instead. They understood that instead of trying to spend time and money to hack people’s passwords, it was much easier to trick users into revealing them. Simple. So, how can we address this issue?
In the past, HMRC sent reminder letters to delinquent taxpayers stressing the importance of paying taxes on time. This clearly wasn’t helping much. To address this, they applied the approach of using positive peer pressure and social acceptance by adding a single line -”Nine out of ten people in the UK pay their tax on time.” That’s it. Just this simple addition contributed to increased tax compliance by 15%! (UK Government Cabinet Office 2012)
KEEP MESSAGING LIVELY & INTERACTIVE
Unfortunately, awareness content can be bland, lacking humour and delivered by a speaker whose sole purpose appears to be curing insomnia. I equate it to messages such as, “Eat salad and exercise,” and we know how well this message is working out.
Consider the competition poster instead. The use of the funny but relevant picture regarding the need to patch systems gets people’s attention and in this age of information overload, attention is gold.
The content will stand out amongst a barrage of other corporate content for its uniqueness. People can engage with the article by liking, sharing, and commenting, which then results in more people reading it. Do you think people would have paid attention if I would have said something like, “Patch your devices since hackers exploit vulnerabilities in unpatched systems?”
USING A MASCOT
Another idea for a competition is to design a cyber mascot. The winning mascot can be proudly displayed on all future security awareness messages and materials.
While this will drive excitement and engagement around cyber security, there is also the added benefit of getting recognizable branding for the awareness materials. Mascots are powerful, and if done correctly, they can make a message truly stand out.
The use of Smokey Bear by the US Forest Service to raise awareness about wildfires is a classic example of this. Smokey now even has his own Twitter account! When the mascot is developed through a friendly competition and by one of your own, there will be a sense of ownership to it from the rest of the organization and, of course, awesome brand recognition.
A PHISHING EMAIL COMPETITION
Given the marked rise in phishing attacks over the past few years, a phishing email writing competition is another great way to create awareness. Essentially, competitors should write a good phishing email designed to trick the victim into disclosing some sensitive information.
To safeguard against unintended consequences, I would make sure that users understand what they can or can’t do - an obvious no-no being to phish anyone for real. To ensure a controlled outcome, I would also ask competitors to submit their entry on a Word document with no embedded links or macros. The intent is to get them thinking creatively as hackers and social engineers and not allow the technically skilled to have an unfair advantage. This will help level the playing field and encouraged creativity from all different groups. As an incentive, a modest but meaningful prize could be offered to the winner.
AND FINALLY - USE OUR FREE SERVICES!
Delivering hard hitting awareness training is a critical part of changing how cyber security is perceived and acted upon within your organisation. Risk awareness - at an organisational level - will do more for cyber resiliency than any one technical control you care to implement. Each county within the East Midlands has a team of dedicated trained professionals equipped to deliver such messaging free or charge. See our contact page to get in touch.
See something not quite right? Email: EMSOUCyberProtect@leicestershire.pnn.police.uk