Weakest link…stupid users…human error. Now we have to do cyber security awareness training because our people are our biggest risk. This is exactly how you do NOT start using people in the fight against cyber criminals. Let me explain:
To have a ‘risk’, you need a ‘vulnerability’, and a ‘threat’. In the context of cyber security, it’s a commonly held belief that people are the biggest risk, but I would suggest they are the biggest vulnerability. Breaking these terms down:
- Threat: This is easy – it’s the criminals targeting people.
- Vulnerability: If you have people who don’t know how to identify and respond to the scams targeting them, then they are vulnerable.
- Risk: We have a threat, we have a vulnerability, so we have a risk. That is, people will be tricked by cyber criminals and not respond appropriately.
If people are not vulnerable, there is no risk. If there are no criminals targeting people, there is no risk.
I will say that people can actually be a risk. They can make mistakes (e.g. emailing confidential information to the wrong person), This happens, it's human nature to make mistakes, and we have to accept it. That doesn't make them stupid. And what if you have a person stealing confidential information? Does that make that person a risk? Well technically I'd say that person has now become the criminal, so they are in fact the threat.
Now the criminals aren’t going away any time soon, and most breaches are via people, so it’s pretty clear that people are vulnerable. To fix this, it's ideal to build a culture of awareness where people are naturally suspicious, cautious and questioning. These are some steps you can take to achieve a 'cyber aware' culture:
- Determine your main concerns in regards to criminals targeting staff.
- Assess your current state, and your desired future state.
- Let people know what’s coming up, and get them along for the ride (change management).
- This is an ongoing campaign, so brand it. e.g. “Cyber security is everyone’s responsibility”.
- Setup and ambassadors program. This is a team of ‘go to’ people when there are questions or concerns. They can also assist with awareness initiatives.
- Get management onsite. They have to show they care about cyber security, and understand the importance of staff to keep the company out of the newspaper for the wrong reasons.
- Now, finally you can train people. Make it fun, engaging, simple, relatable. Let people ask questions, share stories. You want them to go away and talk about this training. They should share information at home, and make changes at home!
- Remind. People now have baseline knowledge, but they will forget it over time, so keep reminding them. Short, sharp, engaging, fun.
- Nurture. Yes, people aren’t perfect, but over time they will become awesome in the right environment. Mistakes are teaching opportunities, and people must feel totally comfortable to ask for help, or to report being tricked.
- Improve. If you can, collect metrics to make informed decisions on what to do next. Strive for perfection.
So when it comes to cyber security awareness, don't blame people for being the problem because it won't inspire them to change. The problem is that they are vulnerable, and with good process they can understand their importance, the personal benefit, and ultimately become the solution.