Lack of cyber awareness training is the weakest link in security strategies – not employees

With human error consistently revealed as the cause or catalyst in 85%[i] of cyber security breaches, company employees often get the wrap for being at fault or labelled as “the weakest link”. Rather than blaming employees for doing something they shouldn’t, companies should consider the quality of cyber security education employees are getting and question if it is changing behaviour.

This is according to Isabel Adams, People Enablement Director, at AVeS Cyber Security.

“It’s fair to say that there’s a human element in most cyber breaches. But it is not fair to leverage the blame entirely on users. The quality of cyber education, or lack thereof, is to largely blame. A lot of the time, company users unknowingly expose company networks and data when they use unauthorised apps, browse malicious websites, click on unsafe links in emails, respond to phishing emails, or share information on social media. However, if they were trained well enough to truly understand how they are vulnerable and avoid the behaviours that could put them at risk, they wouldn’t have done it.”

Cyber awareness training tends to stop at awareness rather than working to change risky behaviours and instil a culture of cyber safety. Because cybercriminals are using emotional tactics and innovative vector attack methods, even with the most advanced and effective cyber security technology interventions in place, and some level of awareness training, the human element will remain a threat if there is no behavioural change. This can only happen with true understanding.

Adams says it’s important to bring it home that cyber safety and using internet resources and social media responsibly is not only about protecting company information and digital assets. It’s about protecting people too. Helping people understand that individuals are also targets of cyberattacks empowers them to instil responsible, cybercrime-wise behaviours to protect their own social media profiles, bank accounts and identities.

stresses Adams.

Awareness and applying critical thinking are the basics of cyber awareness. Knowing what phishing is and how to identify a fraudulent email, or knowing that login credentials shouldn’t be shared, are foundational topics upon which cyber-safe behaviours can be built.

Many companies have yet to get these basics in place. Cyber security awareness starts and ends with a poster on a wall or a list of security policies circulated by email. In these scenarios, employees might have some awareness and know there are processes and policies to follow but they don’t understand why, what to do, or how their actions could impact the company or them as individuals.

Human error happens in several ways when there is a low perception of risks and roles. Skill-based errors happen when employees haven’t been shown the skills to identify scams or how not to respond to them. Other errors occur due to poor decision-making because they don’t understand the risks.

Cybercriminals go to great lengths to mask their scams and affect their attacks. They use inventive social engineering techniques to appeal to human emotions and trick people into giving away sensitive information, such as passwords and credit card numbers. Phishing is no longer an email-only problem. It happens on social media, through phone calls, called vishing (the fraudulent practice of pretending to be from reputable companies to get people to reveal personal information), and through SMS, to name just a few.

“It’s easier for cybercriminals to ‘hack’ a human compared to attempting to break through technology. They’re efficient at gathering data on their targets. By combing through employees’ public social media profiles, they collect valuable data on a person’s interests, jobs and activities. Every social media post and photo may contain important data that threat actors could use for social engineering.

“Employees not only need to be aware of these tactics, but they also need to know how to guard their emotions and understand what actions to take or not to take. It goes back to behaviour and changing that which makes companies and people vulnerable. The mere fact that you received a phishing email is not sinister. It’s what you choose to do with it that’s potentially dangerous.”

Adams concludes by saying that inculcating a cyber security culture can create a stronger defence against cyber threats than the most robust technologies or any single policy or procedure.

References

[i] https://www.verizon.com/business/resources/reports/dbir/

Do you like this article? To receive our monthly newsletter sign up for our newsletter here.