Security Awareness for… series: What do Employees want from Security Awareness Training?

Technology and Psychology – The Cybercriminal’s Toolkit

In our Security Awareness for… series, we’ve already looked at what:

• Chief Executives, 
• Heads of Information Security
• IT Directors and Managers; and
• Finance Directors

want from security awareness training , so now we turn to consider what the employee seeks.

If you’d asked anyone about Cybersecurity problems ten years ago you’d likely get a shrug of the shoulders and a nonchalant look. Today, you would have to have been asleep for several years not to have noticed that cybercrime has hit the roof and security incidents have impacted the minds, and pockets, of us all.

One of the innovations that has given cybercriminals the upper hand has been the use of not only technology but human psychology to enact their criminal activities. Many modern cyber threats use our own behaviour as part of an often, multi-pronged attack. The jigsaw puzzle needed to fix cybercrimes is complicated. The result of cybercriminal activity can be seen in the statistics collated by industry analysts and firms fighting on our side.

• Number of breaches. In 2017, we saw a doubling of cyber attacks. Companies of all sizes and types were under siege. Statistics by the UK government has found over 40% of businesses experienced a cyber attack in 2017 with that number rising to over 70% for larger firms. We witnessed major breaches like the Uber and Equifax data leaks in which hundreds of millions of personal data records were exposed. In 2016, there was a reported ransomware attack every 40 seconds As we move into 2018/2019 the attacks are morphing into new methods such as cryptojacking which saw an increase of 8500% in 2017.
• Cost of breaches. The Ponemon Institute provides an annual insight into the costs of cybercrime across all types of organisations. In their 2017 report, they found that in the UK, for example, the average cost of a data breach was £2.48 million
• Type of breaches. The one thing you can predict about cybercrime is that it is ever-changing. Breaches, however, focus on certain core outcomes which include: the theft of data; denial of service (e.g. to shut a website down); sabotage; and, financial theft, including ransomware. Cybercriminals use a variety of techniques to achieve their end goal. This includes: web attacks such as SQL injection and XSS; phishing to steal login credentials or install malware; Distributed Denial of Service (DDoS); Business Email Compromise (BEC). One thing you can be sure of is that cybercriminals innovate.

All in all, the landscape of cybercrime is convoluted, complex, and changing. It takes an intelligent and proactive approach to deal with this and make headway.

In this short series of articles, we will take a look at how having an awareness of cybersecurity threats and building a culture where security becomes second nature, affects different organisational roles. And, how applying security awareness campaigns to combat cybercrime, places the ball in the court of your organisation, rather than the cybercriminal’s hands.

The Employee On Security

Your employees are the life-blood of your business. Without them, let’s face it, you wouldn’t have a business. A good employee is also a very special person and they need to be nurtured and respected. This translates into putting effort towards building their confidence in the job as well as the workplace in general.

Security issues hit employees at the coal face. When a company experiences a cybersecurity attack, such as a ransomware incident, it requires a lot of time and effort from individual employees, not only to fix (if they are on the IT team) but also to deal with the fall-out if they work in other departments. When the ransomware, WannaCry, hit the NHS in 2017, the staff had to deal with enormous disruption. Many affected hospitals were unable to issue vital medications and had to divert A&E patients to unaffected hospitals. The staff on the ground had to deal with the chaos.

In a “Lessons Learned” paper from NHS England, they make reference to the impact of WannaCry on staff where they explain:

“The dedication and hours put in by staff across all parts of the NHS during the incident may not have been widely known, but made a huge contribution to containing the disruption to patients”

Employees take a lot of the brunt of a cybersecurity attack because it affects their work, their time, and their morale. Some key cybersecurity areas that affect the employee:

• It’s not my fault! Over the last 5 years or so, cybersecurity incidents have become increasingly sophisticated. One of the reasons for this is the incorporation of human behaviour into the cybercriminal’s bag of tricks. The end result is that individual employees can become the focus of malicious intent. This can often be in the form of a phishing email or the more targeted version, spear phishing. In the latter case, the cybercriminal will often spend time using various surveillance techniques, even calling employees on the phone pretending to be a client, or similar, to build a relationship with the person. They then come in for the kill, using the gathered intelligence, to steal login credentials or other details, to perform their crime. It can be hard for an employee to recognise the signs of a scam if they are not aware of the steps involved.

• On no, not compliance calling again: Data protection and privacy regulations are changing along with the ever-changing cybersecurity landscape. Many regulations specify that employees understand the how’s and wherefores of cybersecurity. Regulations that specify that employees have specific training in security awareness include ISO/IEC 27001 and PCI-DSS. ISO 27001, for example, says this about employees and security:

“Managers should ensure that employees and contractors are made aware of and motivated to comply with their information security obligations.”

• The walk of shame. If an employee is successfully targeted by a cybercriminal the result can be catastrophic for both the company and the employee. For example, in Business Email Compromise (BEC) the scam’s end result is the loss, of often, millions of pounds. The ruse may often involve finance department staff who are tricked into thinking the cybercriminal is a superior in the company, such as a CEO or CFO. The employee will be tricked into sending out money to fake clients. Worst case scenario is the company is put in jeopardy and everyone’s jobs are put at risk; but often the best case scenario we see is that the employee is put on a warning or sacked.  It’s important that we help employees remain vigilant against all types of attacks and that this is a positive action.  We should never seek to punish employees if they aren’t acting maliciously – after all, we have a duty to train them.

Employees are affected by cybersecurity at work, but it also affects their personal life too. We have reached “peak cybersecurity” and every one of us is feeling the pain. Cybersecurity has left the building and we all need to pull it back into line. A “culture of security” is no longer a nice to have or some mythical creature, it is a must have. And, this culture is made up of everyone taking part and understanding how to stand up against cybercrime.

What security awareness can offer your employees

Security awareness needs to become part of our normal day-to-day work life. Security threats know no boundaries. Cybercriminals do not think, “Oh, I’ll only send this phishing email out to the board of a company”. The cybercriminal is an equal opportunities employer.

Having a security awareness training program in place is not just about ticking the boxes of compliance. It is also about giving your workforce the weapons to protect themselves and your business.

Security awareness training creates human shields. It is a powerful way to not only protect your organisation from the dark threats of cybercrime, but it also educates your workers to protect themselves, even outside the company.

1. Inclusive security: Security is for everyone and building a culture of security is your first step towards this. Co-opt key employees into your training package to help you set the goals for the training. Being inclusive will ensure that you deliver relevant training that provides context for the employee.
2. No jargon training: Nothing puts people off more than jargon. The security industry can be one of the worst culprits for using acronyms and jargon which confuses users making them switch-off. Use security awareness training packages that use plain language and avoid “techese”.
3. Fun and games: Security awareness training should never be mundane and boring. If you keep employees interested, you will see better results. Security awareness training that uses gamification techniques has been shown in a study by the Norwegian University of Science and Technology to have “positive effects when used in a security context.” Once you start seeing employees spot a phishing email you will understand how effective security awareness training is.
4. Fast and relevant: Interest and relevancy are important aspects of effective security awareness training. Amongst the many studies done on building training and teaching programs, the simple ideas of interest and meaning have been shown to be vital in effective uptake by learners. One such study concluded that to motivate students, “…make a connection between their course material and their lives. In other words, they were able to discover meaning and value in their education.”

In Conclusion

Your employees are the front line in your effort to stay cybersafe. Keeping them aware of the threats that your company faces will also keep them safe at home too. Your staff can become one of your best assets in ensuring that cybercriminals are stopped in their tracks. Using an effective security awareness program with your employees will reap the benefits across your organisation and build a human shield against cyber-attacks.