Cybersecurity Human Factor

Human factor as a perpetual problem in cybersecurity: Are awareness campaigns wonder drugs?

Many well-versed professionals believe that the human factor is – and will be in a foreseeable future – a perpetual problem in cybersecurity. The cybersecurity awareness campaigns are not wonder drugs but can help.

It is not a secret that cyber-crime is unstoppably picking up. In 2017 about 978 million people were cheated out for around 146.3 billion of Euros – 127 million Euros only from EU citizens in 2018. The trend is this year, unfortunately, continuing. It was reported in February that, for example, the crypto-mining malware increased by 71%, new IoT devices malware escalated by 72% and the financial sector attacks by 20%.

The human factor is a key concern for businesses trying to keep networks secure, disclosed the Kaspersky Lab’s State of Industrial Cybersecurity 2018 survey.  Employees are actually a huge problem as most cyber-attacks are designed to take advantage of human errors rather than flaws in software. Whether people click on malicious links or accept fraudulent emails, nearly half (49%) of organisations in all sectors face critical security consequences due to employee errors.

Kaspersky Lab has also recently reported a cyberespionage operation by a politically motivated Arab-speaking Gaza cyber gang group that mainly targeted the Middle East and North Africa. The operation was most active from April to November 2018 and went by the name of SneakyPastes.

The hacking group used a phishing technique, i.e. sending out mass emails in an attempt to install malware on people’s digital devices and gain access to sensitive information. About 240 people and organizations in 39 countries (mostly in Palestine, Jordan, Israel and Libya) fell prey to the group’s cyber-espionage campaign.

Apparently, the group did it by exploiting the weakest link in the cybersecurity chain – humans. Hence, no wonder that many well-versed professionals believe that the human factor is – and will be in a foreseeable future – a perpetual problem in cybersecurity.

Furthermore, Super Targeted Spear Phishing is becoming the new normal. This entails the multi-stage process, which attackers use: careful observations, large set data collection and then a well-designed mail format, which plays both on emotions and instinct of the victim.

Building complete behavioural profile includes:  (1) marking those employees who normally share their personal data on social media, (2) collecting information about those employees from social media, who respond to stranger’s query, (3) looking for employees who would accept a stranger’s connection request on social media, without verifying it, and (4) acquiring a domain name, which is either of the same name, or else, with similar spelling (with minor letter changes).

Scary indeed! This requires creating awareness that goes beyond usual “Don’t click on suspicious link” or “Don’t respond to an untrustworthy email”.

Can the awareness campaigns and training reduce the risks from these threats?

Certain authors are rather vocal in stating the reasons why the cybersecurity campaigns are falling apart and not yielding desired results. The reasons range from not understanding what cybersecurity really is, not having a plan and poor engagement to relying on check-boxes, not collecting metrics and hit & run approaches.

It is, however, the intention of this article not to add more reasons for failure but to share some advice that can help these campaigns succeed.

“What you need to understand is that some of your employees are lazy”, says Ragnar Sigurdsson, Certified Information Systems Security Professional. “They might recognise that security awareness training is essential, but they want it to be over as fast as possible. Employees don’t want to struggle to read and digest boring security awareness text. They want to be able to understand it quickly and efficiently and continue with their day-to-day job”.

However, he explains that “just because they want to absorb this content quickly doesn’t mean quick training programs are ineffective. A video is a tool that can take your security training from boring to exciting – 30 seconds of video is capable of conveying much more information than any text”.

We do agree with Sigurdsson as it is recently proven that video content was the most memorable (43%) in comparison to text (18%) and images (36%).

A couple of videos though cannot cover all important cybersecurity awareness topics. Hence it is important not to skip explaining the key risks of falling prey to, for example, social engineering, phishing, CEO scams, spear phishing, keyloggers, spyware, malicious attachments, USB key droppers, unattended printouts or the danger of using free Wi-Fi. Tailgating, shoulder-surfing, cleaning desk and not leaving unattended removable media are also vital topics that must be covered by awareness campaigns and training.

Researching and following new developments in a field of cybersecurity is a must for all designers of cybersecurity awareness programmes and campaigns!

However, changing behaviour requires more than providing information about risks and reactive behaviours. Firstly, people must be able to understand and apply the advice, and secondly, they must be motivated and willing to do so – and the latter requires changes to attitudes and intentions.

In that regard, the key factor for raising awareness and changing people’s behaviour is – motivation. If we want people to behave in a certain way we need to motivate them. In other words, we have to understand why employees do certain things and then to select an optimal persuasion method for changing their behaviour. That includes identifying the behavioural drivers.

We at VM Advisory can help you by conducting awareness campaigns in your organisation or organise courses at an accredited tertiary institution. We can also train your personnel on how to plan and conduct your own cybersecurity awareness campaigns.

Leave a Reply

Your email address will not be published. Required fields are marked *