Cyber Threat – The Real Need for Effective Learning and Behaviour Change
When we hear about cyber threat, many of us perceive “hackers” with exceptional levels of skill, forcing their way into corporate networks to steal sensitive information. In reality, most cyber crime is far more simplistic and is predominantly enabled through the simple manipulation of the least effective piece of equipment within any company’s IT infrastructure, which in every case, is the human that operates that IT system.
Cyber crime cost the Global economy an estimated $575 Billion USD in 2017, a figure projected to rise to over $2 Trillion USD by 20201,despite increased investment in cyber security infrastructure and greater awareness amongst Executives.
So, what are we getting wrong? The ICO estimate that as many of 90% of all successful breaches were enabled by human error in some way. Significant investment in infrastructure means that brute force attacks take far more time, effort and skill than they may have a decade ago. The exploitation of a vulnerable or exposed employee is a far more efficient way to achieve the desired end goal.
Studies estimate that up to 85% of all successful breaches begin with Spear Phishing. Spear Phishing involves social engineering, a technique used since the start of time, yet now enabled to such a greater extent by our ever-growing digital footprint. Spear Phishing involves malicious emails that are specifically targeted to an individual and appear to be legitimate because they come from a known contact and are expected. Increasingly, cyber criminals rely on exploitation of our digital footprint, to build rapport and create a plausible and appealing way of gaining our interest.
Consider how a person that you have never met, from a country that you have never been to, could know about your familial links, where you work, go on holiday and your hobbies and interests? Do we consider the risk before we contribute to our online profile and understand how this information could be used to exploit us in the future? The answer is that we don’t, and that is because the significant majority of people do not engage with personal cyber risk. We cannot expect anyone to engage with professional risk, before they realise why it is relevant to them.
What are we getting wrong with our approach to cyber security awareness training? Our Training Needs Analysis shows that the primary motivator for almost all companies we work with, comes through a compliance driven approach to training. Cyber Security awareness training is often approached in the same way that we look at other mandatory training, such as E&D or H&S, yet it is fundamentally different. Why? because our staff have not yet undergone the required level of behavioural and cultural change. We have been informally and subtly educated with subjects like E&D and H&S since our very early years, understanding is already engrained in our daily behaviours. Yet cyber security awareness is very different.
Most adults in employment have no formal cyber security awareness education. It is not something that we learned in childhood or even through the National Education System; therefore, we have not developed the natural behaviours required for effective and sustainable behaviour change. The lack of awareness is also not limited to more senior generations. Millennials as a group are some of the most at risk. Dependency on cyber space is very much part of generational culture, yet despite greater levels of IT literacy and capability, understanding of functionality does not equate to understanding of risk and threat.