“Highly recommend John Phillips. We’ve recently had to claim on our insurance due to the loss of our websites and the whole process has been SO efficient. Every company should have cyber insurance”
Your people are your biggest asset but can easily become your biggest liability. The most important thing you can do for your business is to give them the tools to make the right decisions when dealing with data. 95% of cyber incidents can be traced back to human error. 30% of phishing emails bypass default security measures and Avanan research indicates that 4% of all emails are phishing emails. This means there are exponential opportunities for your organisation to fall victim to a cyber criminal.
There is a noted spike in phishing activities which are predictably seen between 8 and 11 am, with another spike in the afternoon to coincide with when people are naturally distracted or tired. This shows that cyber criminals have tried and tested methods to exploit the common traits we all share.
These traits are not necessarily a bad thing. Some are double edged such as trust of authority and a sense of urgency which is how CEO scams have become so prevalent.
Some are a little more self serving but perfectly understandable. We all have a little bit of excitement at a freebie or a little bit of anxiety at the thought we could be missing out on the offer of a lifetime.
A phishing scam in 2018 used The World Cup to steal login credentials to buy and resell electronic goods. There was a spike in activity during the FIFA World Cup which is attributed to people wanting to purchase cheap TVs to watch the football.
Another weakness to which we are all occasionally prone is the temptation to rush when we are busy. Accidental email leaks are even more common than you might think! We all know the moment of panic after pressing ‘reply all ‘ and is a major cause of security breaches. In 2017, 269 billion emails were sent daily and the UK’s Information Commissioner’s Office (ICO) found that emails such as this were behind many breaches.
Increasingly phishing is not restricted to email and uses social apps like WhatsApp and Messenger which we are all connected to every day. There is a temptation to view these as safer due to the perceived lack of formality however they are able to use this social aspect to make their scams even more successful.
A recent scam used WhatsApp to send out “Win a Sainsbury gift card” message which encouraged the receiver to share with their family and friends increasing the reach of the scammer. Clicking on the links in these messages you would be asked for personal data and some instances malware could be downloaded.
There are now so many different ways for cyber criminals to engage with their victims it is easy to get caught out. It is also human. Cyber criminals are sophisticated and have honed their craft to exploit these weaknesses. People can be both terribly predictable and unpredictable. This is not something you can change. But you can change attitudes, raise awareness and empower your people through an effective cyber training program.
A financial controller in a law firm received a call from what seemed to be the firm’s bank, explaining that some suspicious wire transfers had been flagged on the business account. The caller insisted that there was an immediate danger of the remaining funds being drained and that they needed a password and a PIN to put a freeze on the account. The financial controller wanted to avoid any further loss and so confirmed these details to the caller. It later emerged that this had led to $118,830 being wired to three overseas accounts in nine separate transactions. Because the transactions had seemingly been authorised, no reimbursement was offered by the bank.
Making Your Cyber Security Training Effective
Cyber education can also be seen as a tick box exercise by many managers and staff who find themselves under pressure for time. 55% of companies admit not providing regular cyber security training. But it has never been more important to make the time for cyber security training. People are more likely to engage with a program which offers them an immediacy and is memorable to the recipient. This can include humour, videos and interactive content.
There are many different options when it comes to cyber security training but generally the most success is found by choosing a program which combines certain key elements and is divided into manageable modules to avoid cognitive overload and training fatigue. It is easier to reinforce content when the user is encouraged to make connections in their own minds.
With any sort of training initiative it is important to monitor the success of the program. Many programs will offer a variety of modes of assessment. Users may be able to test their skills using real life scenarios or once engaged with a subject they have the option to discuss more with autonomous learning. Rather than using fear of judgement and the accompanying embarrassment or shame; curiosity and engagement become the key motivators for the user. Many platforms create new content regularly to ensure it stays current and up to date with the headlines.
All of these aspects help to make cyber security part of your organisation’s culture. A proactive and open culture for your people is possibly your best defence against a cyber attack.