Cybersecurity training could be the difference between a safe workforce and a vulnerable one, writes Debby Briggs.
Reading time: 5 minutes.
A recent IBM and Ponemon report highlighted that data breaches now cost, on average, £3.18m. With such a high price tag attached to a breach, organisations need to strengthen their defences, starting with their employees.
The proliferation of smart and Internet of Things (IoT) devices in modern offices has given hackers more opportunities to penetrate networks across a wider range of attack vectors.
However, for organisations looking to better defend themselves, a combined human and technology-driven approach is essential.
Organisations can fight back with human firewalls and technologies, including artificial intelligence (AI) and machine learning, creating a unified defence against attacks.
The numbers problem
Protecting a few people and a few devices from threats would be one thing, but that is not the reality of today’s landscape.
Instead, day-by-day the number of internet-connected devices (smartphones, laptops, tablets, TVs and so on) grows. Gartner predicts that by 2020 there will be more than 20 billion such devices worldwide.
Laptops, tablets and smartphones often have multiple uses as their portability and connectivity enable deployment in both personal and professional settings.
Smartphones in particular are often used in both settings as people have their work emails on their personal phones, messaging apps on their work phones or one phone that is expected to be used for both purposes.
It is easy to see how this fluidity complicates security and increases the risk of human error.
Organisations have not been prioritising employee training on this topic, and it’s highly important that this changes
The most common hacks are phishing scams, which are the root cause of more than 90% of breaches.
These are especially potent in this environment of multi-use devices as, by falling for an attack on their personal device, an employee could put the entire office network at risk.
Phishing scams work by capitalising on people’s emotions, for example a tax refund that excites a user into inputting their personal information or a banking alert that scares them into the same process.
These scams incite a knee-jerk reaction where a user acts first then questions later, by which time it is too late.
Although regular media coverage aims to alert people to these scams, people still regularly fall victim to these attacks.
It is apparent that more needs to be done. Organisations have not been prioritising employee training on this topic, and it’s highly important that this changes.
Training employees and creating a human firewall could be the difference between a safe workforce and a vulnerable one.
Building the defence
Training employees to form a human firewall should become central to organisations’ cybersecurity training protocol.
Cybersecurity within organisations applies to everyone, and all are equally at risk. Therefore training needs to be comprehensive across the organisation, covering entry-level employees all the way to the C-suite.
While it may seem easier to run a company-wide seminar or send around a webinar for everyone to listen to, it is often much more effective to teach people using humour and practical lessons.
Creating a human firewall is most effective when human efforts combine with technology
This is important for a subject such as cybersecurity where the content is often very technical and can be difficult to digest.
A common tactic employed by organisations is for the corporate IT department to send a simulated phishing email to all employees.
This email should be structured in the typical manner of these scams, for example offering a tax refund or free holiday.
The simulated email will allow the IT department to track who opens the email and how far through the process they go.
They should follow up with an email to the whole organisation informing them that the email was a simulated test, giving an overview of the results.
For example, “5% of the C-suite inputted their personal details” and a short explanation of why these tests are important.
For those that failed the test, the IT department should follow up with them individually to give them more detailed feedback.
These tests can be varied and carried out periodically to ensure that employees recognise all potential warning signs.
Training employees in this manner is a light-hearted but clear and effective tool as part of a wider cybersecurity awareness programme.
A human firewall will form as employees learn to recognise the signs and automatically report suspicious emails to the IT department, making it much harder for hackers to break through.
As previously mentioned, creating a human firewall is most effective when human efforts combine with technology. So, how can technologies help?
The advancement of technology is largely the route of these security issues, but technology can also be the solution.
Simulated phishing emails allow IT departments to track employees’ responses to that particular email, but machine learning and AI algorithms can study network traffic patterns and the subject lines and body text of multiple emails.
While a human firewall is a valuable defence, even the most sophisticated and well-trained organisation could not protect an entire network without the help of technology.
This is not news to organisations, 61% of companies recognise how vital technologies such as AI and machine learning are to their defence.
These technologies can analyse network traffic patterns, study the contents of emails and compare this data to an ongoing store of malicious content, enabling them to detect threats and initiate protections rapidly.
Humans are not able to operate on this level or at this speed. Therefore, using these technologies has the potential to save organisations from attacks and the negative effects of an attack, such as bad press and fines.
No organisation is safe from cyberattacks. Cybercriminals are not picky and will seek to exploit any vulnerability.
Businesses must not be complacent and must prioritise both human firewalls and virtual tools in their budgets and training protocols.
Technology adapts and updates rapidly; the companies that can stay on top of these developments and train their staff across the board will stand the strongest chance of defending themselves against cyberattacks.
About the author
Debby Briggs is CSO at NETSCOUT