It’s always intrigued me when referring to Cyber Awareness that a number of IT Professionals instantly respond with a somewhat defensive statement about X Email Filtering System, Y Patching and Z Firewalls - Is this what Cyber Awareness is about?
Granted, Cyber Security is a complex matter and it’s slightly ironic for someone of my limited technical knowledge who had to google what an IP Address is and referred to a dictionary when attempting to spell Wifi correctly, to be talking about Cyber Security. However, I have been in the Cyber Awareness & Compliance Industry for over 3 years now and during that time Phishing is no longer a recreational activity with a rod and bait, Data Protection is no longer an Act from 1998 and Tailgating is no longer seeing a cheeky so and so follow an ambulance through a red light to avoid traffic - the world of Cyber is changing!
During the last 3 years, I have found the learning curve steeper than the number of people affected by the Equifax Breach, so for the average Joe in the organisation who isn’t living and breathing Cyber/Information Security and GDPR everyday, how in the world are they going to keep up?
So in summary, just kidding, I wish I could finish here because I have calls to make but there are a few things I would like to address.
As I mentioned earlier, a large majority of organisations I speak to refer to their technical barriers, “we have XXX for spam filtering so we don’t receive many phishing emails”, what I’m thinking “HA yeah, you think you don’t!” What I actually say, “That’s great to hear, when you say many …?”.
You see, these hackers are smart people and they are getting smarter! A study by University of Plymouth on the effectiveness of phishing filters found that 64% of the potential phishing emails (which included a potentially malicious link) made it into the user’s inbox. Now before you shout at me, I understand that this may not have been the best £1,000,000 system but even so, a number of phishing emails are still entering the inboxes of your staff - are they prepared?
It’s like the Wet Paint Sign test, we’ve all done it (maybe we were slightly younger-ish). “WET PAINT - DO NOT TOUCH” - I have no idea where this comes from but humans are becoming less trustworthy, so surely, this paint can’t be that wet? It’s a similar scenario with emails. Free holidays. Discounted Goods. Annual Leave Days. Salary Increase. All potential phishing email topics which will take advantage of the curious yet uneducated eye.
So what is the solution? Simulated Phishing Campaigns? eLearning? Videos? Policies? We can’t just ban people from using email, can we?
My opinion, its a combination of all of the above (no obviously not banning people). Your staff need to know whats expected of them, their responsibilities. Make sure they are actually reading, fully understanding and signing off on your policies and communications. Continuous Education! I don’t mean PowerPoint presentations every week, gosh no. Make your regular training fun and engaging (let’s face it, cyber security is boring! Sorry CISO). Then, test your staff. Are your staff taking this information in? Is it actually working?
Finally, from your perspective, yes you, the person in charge of all this, wouldn’t it be easier if this was all automated for you!
What do you think? Have I just waffled about nothing (you can tell me, I won’t be offended, much)?
What does your Cyber Awareness Campaign look like?
Lewis Murphy - MetaCompliance