Table of contents

Monday, 1st April 2024

Listen to the article (0min)

Movie depictions of hackers generally follow the same theme: an insanely gifted geek breaches a system through a mixture of intelligence, guile and the use of highly sophisticated tools and technology.

While that’s an exciting spectacle, the reality is more prosaic. More than three-quarters of cyber breaches aren’t hacks at all. They result from stolen credentials or human error. In most cases cyber criminals are logging on, using legitimate passwords and account names.

Google Cloud’s 2023 Threat Horizons Report found that 86% of breaches involve stolen credentials. According to the 2023 Verizon Data Breach Investigations Report, 74% of all breaches include the human element, with staff being involved either via error, use of stolen credentials, or social engineering.

In many cases, people are falling victim to deception, such as a fake email or text from a supposed trusted source asking you to click a link and verify your account details. If you are taken in by this bogus request, and cyber criminals use many methods to trick you into doing so, you will have given an attacker access to your identity and method of authentication. In simple terms, your username and password.

These attacks, known as Phishing, vary in sophistication: from mass email campaigns, spamming enough employees in the hope a few will be caught out, to Business Email Compromise (BEC), a highly targeted activity focused on a key individual, such as a company CEO or a senior manager in Finance. In this scenario, attackers gain access to the email account of a trusted senior figure in a business. Posing as that person, the attacker asks for a fake invoice to be paid or an account transfer to be made, leveraging social engineering techniques to make it more genuine.

Artificial intelligence is only going to make it worse, with the regularity and sophistication of attacks likely to increase significantly from this point forward. We’re already seeing a marked improvement in the quality of fake sites and documents through AI; voice simulations are another feature, where AI impersonates someone known to the victim based on voice data scrapped from publicly available sources.

The good news is that, far from being the weak link, human beings can be trained to spot common attacks, regardless of their level of technical expertise. If kept up to date with the latest methods and what to look out for, your staff can become a crucial first line of defence for your business.

Key to this is making it relevant to them personally as well as in the context of work. Research shows that it is easier to change behaviours when you include a personal dimension*.*

Building a cyber security culture

  • Look to build a culture of collective responsibility where everyone feels invested in the process and understands their role in helping to keep themselves and the business safe.
  • Encourage a culture of inclusivity with blame-free reporting. If someone suspects they may have inadvertently clicked on something, making the business aware as soon as possible gives you more time to investigate and do something about it. Chances are they will not be the only ones.
  • Security awareness training covering many aspects from safe web browsing and phishing training, to data and physical security – such as good printing practice and building access – is essential.
  • Develop good, workable policies and procedures and make staff aware not just of their existence and their obligations to them, but why they exist and how they serve a purpose. An example might be for account transfers and payments. If it’s over a certain threshold value, staff should conduct further checks to ensure that it’s a genuine request before remitting.
  • You may decide to take it a step further with exercises such as phishing simulations. It’s wise to conduct these once staff have received training and been made aware of what to look out for. These can increase in sophistication to include other methods of attack, such as through voicemail and text, as time goes on.

Evaluating security awareness training services

How can you ascertain if you're receiving a robust Security Awareness Training Service?

  1. Ensuring the training captivates and resonates with the audience is crucial. Opting for a program that adopts the principle of delivering content 'little and often' is more beneficial. Engagements spaced out in short, regular intervals, such as five minutes every two weeks, prove more effective than lengthy sessions spaced far apart.
  2. The service should offer customisation options that align with your organisation's culture and the typical user's profile. While creative methods like cartoons or simulated sitcoms can be engaging, they may not suit the learning preferences of all, especially experienced professionals.
  3. Incorporating elements that foster general cyber awareness, or the concept of being a responsible 'Cyber Citizen,' can enhance engagement. Training that connects with personal aspects of an employee's life tends to foster better engagement, encouraging the application of best practices and good habits within the workplace.
  4. As cybercriminal strategies evolve, the training service should adapt accordingly. It's important that the provider stays informed about the latest threats and offers updates through accessible formats such as video content, newsletters, and regular communications.

By focusing on these aspects, you can better evaluate the quality and effectiveness of a Security Awareness Training Service, ensuring it meets the needs of your organisation and contributes positively to your overall security posture.