Hardly a week goes by without news of a major security incident. The “McAfee Labs Threats Report: August 2019” survey, which presents cybercrime activity and cybersecurity trends in the first quarter of 2019, has announced 504 new threats per minute in the first quarter, with a 118% increase in ransomware. Data leaks, systems brought to their knees by ransomware, embezzlement, identity theft… these are all commonly encountered types of attack.
In the vast majority of cases, the cause can be traced to failings in the behavior of one or more users. For example, it could be a user clicking on a phishing email and allowing the insertion of rogue code. It could also be an individual using their business email address and password on a website that is hacked, providing hackers with the information they need to login to the information system. It could also be a naive user who falls for a ruse on a social network and discloses sensitive information. Another possibility is a careless traveler using a public WiFi network. Possible examples are many and can take an infinite variety of forms.
Faced with increasingly secure infrastructure systems, cybercriminals are attacking information systems’ main vulnerability: their users.
What’s the point of picking a lock when you can simply find someone and ask them to open it for you?
Although significant investments have been made in cybersecurity, the implementation of infrastructure, risk analysis and specialized teams, consideration of the human side of cybersecurity has remained the “poor relation”. After too many years of neglect, this aspect is now being recognized as being of vital strategic importance. From a budget of virtually nil in this area just ten years ago, various companies and public organizations have now started to increase their resources in this sphere and are planning programs to raise awareness.
However, much remains to be done. A backlog has built up. It is always harder to change bad habits than it is to learn good ones from the outset. The arrival of a new generation of “digital natives” has not helped either: a study conducted by Pew Research Center in 2018 reveals a much poorer understanding of cybersecurity issues among the 22-37 age group than in the 54+ group. For example, only 58% of the 22-37 group know what phishing is, compared to 73% of the 54+ group. Does that mean digital natives are also “digitally naive”?
Let’s make one thing clear: You’ll never achieve a satisfactory level of security without the support of your information system’s users.
Indeed, it’s customary to point the finger at the weak link represented by the user: “Problem Exists Between Keyboard and Chair” (PEBKAC), as we often hear. However, we think it’s time to turn that paradigm on its head. Our suggestion is to make your users the strong link in your cybersecurity system. Users with the right education, training and guidance can become your best defense against the attacks you face.
To achieve this goal, it is vitally important to implement a professional approach. Just as in any sphere of life, some things work and some things don’t. Experience can provide many lessons in this area. After all, don’t forget that the end goal is to create a genuine cybersecurity culture in your organization, in parallel with the meaningful adoption of the right behaviors to keep it safe.
As a final summary, here’s a refresher on the ten key factors for a successful awareness strategy:
- Have a point of reference: vital for identifying your start point, setting goals and measuring results.
- Have the support of Management: examples are given from the top.
- Have a planned strategy: specify WHO, WHAT, HOW and WHEN.
- Stimulate interest: fun content promoting participation.
- Attractive messages: genuinely impacting real-world behavior.
- Keep it simple and accessible: your audience’s time is precious, so don’t waste it by making things too complex.
- Move forward in regular stages: little and often is more effective than all at once.
- Easy roll-out: avoid major IT projects;
- Communicate: make sure everyone feels part of an overall movement and is aware of the results.
- Keep at it: developing a cybersecurity culture takes time.