Cyber Attack – The Human Trigger
Across the globe wave after wave of ransomware attacks are targeting private companies, health services and state institutions. News headlines often describe the attacks as “sophisticated” and while, the malware deployed is indeed sophisticated, so too is practically everything that runs on your IT systems. For the average user and the business owners who are victims of cybercrime, this is not relevant and all you need to understand is that the delivery of the malware and what triggers it is very simple. Most attacks occur because of an action on the part of the human user. When you click on a link, you are taking an action and that action makes you the “human trigger”.
In the military when recruits are first introduced to firearms they are told by instructors, time and time again that firearms are not dangerous until you put your finger on the trigger. Soldiers are trained to keep their finger off the trigger and outside the trigger guard until they are ready to discharge a round. This is drilled into soldiers the world over and for good reason. When you apply pressure to the trigger an action will take place where you will have a desired or even expected outcome, but the outcome is also largely unknown. The soldier’s level of skill and training will impact the unknown factor. The round might not hit the target, it may hit a totally unintended target with dire consequences. Soldiers train to mitigate the risk but can never fully eliminate it. Cybersecurity is similar in this way and when you click on a link, you are pulling the trigger that will also have a desired or expected outcome but is also largely unknown. In the real world most soldiers only pull the trigger a few times a year on the range. In the world of business your employees will click on links several times a day and for the most part these links will take them to their intended destinations. In this post alone there are a couple of pieces of external content I want you to view, and I get you there with links. I know the links are safe, but do you? Are you cyber aware enough to be sure? Just like my military analogy, the mitigation of risk is dependent on your level of training and the more training you have the lower the risk and the higher your cyber awareness.
My colleague and IT.ie founder Eamon Gallagher recently wrote a post Cyber Awareness – Sowing the seeds of mistrust and in it highlighted that, in many businesses, staff undertake any number of training courses or demonstrations from first aid to safe pass courses. Most of the courses they are asked to undertake are beneficial to them and to the business but given the level of disruption and damage a cyber-attack can have on a business, very few have ever undertaken cybersecurity training. Your employees are your most valuable assets and when it comes to cybercrime, a key component of your defences. Your inbox is constantly under attack and no tool is 100% effective. Good email spam filters will catch most questionable emails, but some will get through at which point the cyber awareness of your employees is your last defence.
Did you know that human error was a contributing factor in 95% of breaches? Since human error plays such a vast role in cyber breaches, addressing it is key to reducing the chances of your business being successfully targeted. It also allows you to protect your business from a far wider range of threats than any single technical solution could and can potentially empower your workforce to actively look out for and report new threats they may encounter. Mitigation of human error must be key to business cybersecurity in 2021.
How can employees make safer everyday decisions?
Understanding
Your employees must recognise that they are in a situation where security is potentially at stake. Without recognising this, they may not even realise that they are making a decision at all through their inaction
Empowerment
Your employees must recognise that they are in a situation where security is potentially at stake. Without recognising this, they may not even realise that they are making a decision at all through their inaction
Education
Your employees must know why security matters, so they understand the importance of not ignoring security procedures and are aware of the potential implications of a breach.
Security Awareness Training – Old-school Vs Modern Training
Security awareness training used to mean making end-users sit through an annual session consisting of hours of lectures and slideshows. The idea was that users would remember something of what they saw and heard and in the worst-case scenario at least the box for “educating users” could be ticked. How did it fair in actually improving security outcomes though? It didn’t work, and everyone hated it.
How we make modern training truly effective?
Breaking down the material
There is a limited amount of information that a person can absorb at a time. In order to not overwhelm your employees, our training is broken down into segments, each with their own clear, simple message that’s presented in an easily digestible fashion.
Continuous Learning
We break down the learning material to allow learning to easily be made continuous, rather than a one-time thing, and courses are sent out regularly throughout the year – helping to keep security awareness consistently on the minds of your employees, as well as improving learning retention.
Relevant Material
When your employees are given information that they feel is not relevant to them, they will quickly start losing interest and paying less attention. Learning material needs to not only avoid jargon and technical terms but be made with real-life situations in mind that they are likely to encounter.
Embed security into your culture
Training has to be a part of a business culture where security is always given the consideration it needs, and employees are encouraged to bring up concerns and ask questions.
Practical Advice
It’s essential that employees walk away from training with actual steps in mind that they can put to use right away in their daily work activities. Giving employees the chance to put their training to the test right away also helps build memory and can be achieved using tools such as phishing simulation.
Video and interactive content
Video and interactive content are great for engaging your employees who may prefer a different type of learning experience. Many people learn by doing, answering questions, or otherwise taking part.
Measuring the impact
It is essential that, after training sessions, your employees are tested on what they’ve learned. This helps you to know that they are walking away having learned something but also helps the learning process of your employees as they recollect the information they have just learned from their own memory.
The find out more about our Cyber Security Awareness Training please visit the IT.ie website where you will find Cyber Security Awareness under Cyber Security in our menu. If you would like to talk to one of our Cyber Team, please email hello@it.ie or call (01) 8424114 and we’ll get right back to you.
