THANK YOU FOR SUBSCRIBING
Sascha Maier, Head Of It & Cyber Resilience, Iwc Schaffhausen
What’s the point in protecting a corporate network if the attackers work their way past virus scanners and firewalls by not inserting malware to copy passwords – but instead using social engineering to trick individual employees into entering their log-in details themselves on phishing sites? It is nothing new to state that attackers favour social engineering. For years, human failings and errors have been the main gateway in for successful digital attacks on companies – and the trend is on the rise. According to one recent report (Verizon Data Breach Investigations Report 2020), just over 70 per cent of all successful attacks are attributable to hacking and human error. In the case of hacking, 80 per cent of the successful attacks investigated in the report are phishing attacks which paid off.
How do you build a human firewall?
In view of this, corporate cyber-security teams should not limit their focus simply to maintaining and expanding the range of technical resources at their disposal. They need to make the whole staff part of their efforts – by setting up a cyber-awareness programme. The aim is to make as large a part of the staff as possible familiar with current methods of attack, in order to prevent disastrous click responses. The icing on top would be if employees themselves report suspicious e-mails, calls, websites or people. But reaching that objective requires both work and a budget.
Ideally, the IT and HR – or Internal Communications –departments tackle the project together. The IT or IT Security department has eyes on both currently-practised types of attack and also the ways via which attackers attempt to penetrate networks. Conversely, the HR or Communications department has expertise in how best to communicate specialist cyber knowledge.
The company management needs to be on-board Before engaging with the detailed design of an awareness programme, management first needs to be brought on-board. On the one hand, this is in order to secure the budget needed for the measures. Ultimately, external speakers (live hacking), text and video producers and layout experts cost money. It is fairly rare to find these resources internally, meaning that they need to be bought in.
On the other hand, it is to ensure that management gives a commitment that no employee will be punished or even dismissed due to an inadvertently-triggered security issue. Without that in place, a climate of fear envelops cyber-security. And that makes it practically impossible to guarantee the necessary groundwork by staff. The ideal situation is where the management personally approaches the staff to launch the programme, in order to underline the relevance of the issue. If a request is also made at the same time to report possible security incidents such as phishing e-mails immediately to the relevant colleagues, then that aspect is similarly given greater impetus.
Clarification is also needed as to whether attendance events and webinars held as part of the programme could count as working time. That further boosts their popularity.
Become a brand
The content to be communicated always needs to observe the ancient wisdom for all communications: “The bait needs to taste good to the fish, not the fisherman”. In this instance, the fish is the staff, the bait is the information about awareness and the fisherman is the team responsible for the programme
Right from the start, programme managers need to be clear in their own minds that cyber-security is both an abstract and a complex subject. Hardly any employees will recognize why they are affected by the issue, without additional guidance. So anyone who launches into communications about it without prior warning or preparation within their organization will not achieve their objectives.
Part of that preparation is making the awareness programme into a brand. It merits having a memorable name, its own logo (which can be printed on items such as mouse-pads, webcam blockers, bags or USB security tokens), and an entry in the intranet navigation. Without this branding, it becomes harder for staff to immediately associate the respective content.
Getting to the content
On top of this, the degree of specialization in the respective communications measure needs to be matched to the target group: PC professionals and software developers merit a different treatment of the same issue compared to the presentation you might choose for employees in the Production department who only spend 30 minutes per week on the PC. So it may be necessary to prepare the same content – e.g. tips on password security or anti-phishing information – to differing degrees of specialization.
Instead of limiting yourself to one communications channel, employees need to be brought on-board from wherever they are found: on the intranet, in the canteen (information via digital info-screens), via their e-mail inbox (newsletters), during their leisure time (more on that below) or on the move (on-demand webinars). A mix of purely digital communication and live events, either virtually or as attendance events, livened up with the occasional competition, is the quickest route to achieving your objectives.
The follow-up on that tip of getting in touch with employees during their leisure time? Practically every employee has either a smartphone, a tablet or a PC/laptop at home – and when using these devices, they are exposed to precisely the same kinds of attack as they are when at work. So why not speak to them as private individuals, with specific communications measures? For example, by giving advice on shopping securely online during the lead-in to Christmas.
Irrespective of the chosen communicationsmix, one point should be observed in all cases: the information measures should not be episodic, selectively-occurring events. Rather, the communication needs to be reinforced to have an impact and avoid losses due to scatter. Ideally, an editorial schedule will be devised and the measures tackled on a quarterly basis.
Guaranteed ineffective measuresIn addition to the tips given above, there is also a short list of things to avoid. These would include fearmongering and scare tactics. These arise if you flag up (big) issues without giving employees any assistance on how they can circumnavigate the respective issue (phishing waves, malware campaigns, transfer fraud, etc.). Even phishing training can make users feel insecure, and is therefore to be used advisedly
One way to waste time, money and attention is generic, pre-made webinar content, such as a number of (US) service providers are offering. Licensing it may seem an easy option. But since the content practically never matches up with the requirements of the respectiveorganization, it fails to achieve its objective.