It’s Cybersecurity Awareness Month at a time when cybersecurity awareness should be on everyone’s mind. The risk of attack has soared, according to Atlas VPN (bit.ly/3ojkQgI) – 45% of organisations globally were impacted by recurring cyberattacks, malware up by 358%, and ransomware by 435%. Anna Collard, SVP of content and evangelist at KnowBe4 Africa (KnowBe4.com), warns that social engineering is consistently the number one root cause used by ransomware and other malware attacks to gain initial access.
It has become absolutely critical to manage human risks effectively as it’s still the top attack vector used by cyber criminals. “There are ways of mitigating the human risk factor and engaging with your employees on a deeper level,” she adds. “Approach the training with sensitivity, ensure that your people are engaged, and that their concerns are recognised.”
The best way to tackle sensitive phishing topics is to provide people with the tools they need to recognise potential attacks
While simulated phishing campaigns are very effective in educating staff about phishing, a common mistake made by companies as they embark on these campaigns is to use topics that are sensitive or can cause upset. While scammers will use topics such as a fake bonus or lay-offs very successfully in their campaigns, it’s not a good idea to use them as part of the training.
“People don’t react well to this kind of campaign and often this can backfire on the company,” says Collard. “The best way to tackle sensitive phishing topics is to provide people with the tools they need to recognise potential attacks, and, perhaps most importantly, ensure that your employees are happy. Happy and responsible people are the best protection, so work towards creating this kind of culture to achieve long-term security success.”
Another key approach is to ask people for feedback after training sessions, and to use that feedback. Use the stick and the carrot approach rather than the terrify and torment one. If you combine negative incentives with positive ones, then people are more inclined to work towards a culture of security. This is further reflected by leadership. It’s important to get executive involvement that goes beyond sponsorship. You want your leaders to become the faces of your cybersecurity campaigns, and to walk the proverbial talk.
“People look to what their leaders are doing, so get a video clip of your senior team leaders sharing why security is important, or undertaking a phishing training course, to show that they are as committed to this as anyone else,” says Collard. “Add to this personal involvement by ensuring that you pull in all teams and silos. Work with marketing, internal comms teams, HR, and every other business department to create a comprehensive and holistic security culture.”
Another critical point is to ensure that you start off your campaign with a clear baseline. You can’t manage what you can’t measure so create a baseline view of your current security status quo by running a proficiency or security culture assessment and track this annually. This will help you to showcase improvements, and manage training more effectively. Finally, make everything fun, especially now.
“People are tired, burned out and living online, so don’t make your cybersecurity awareness campaign boring, tedious and time consuming,” concludes Collard. “Make it beautiful. Ensure that communications are seamless, that content is meaningful, and that every part of the campaign is worthy of engagement. And be human. Emotions are a powerful engagement technique, so use them in your content. Tell stories, use humour, and remember that, above all else, your employees are people first.”