The spectrum ranges from blaming and hating through despair right up to resignation: many IT managers come up against the human factor in cyber security. Daniel Keller, Cyber Security Consultant at InfoGuard and security awareness expert, tells us the kind of things he often hears in this regard and what (un)truths lie behind them.
The following anecdotes are a collection of fictional statements from security experts, IT managers, CI(S)Os and people from the cyber security industry that I have previously faced in my career. This is in no way an accusation, but rather an aid for those responsible for cyber security awareness to value employees and integrate them into the security system.
“I’ve already explained this to them twice...”
Let’s start with something simple. Really often I hear that behaviour X or topic Y has already been explained twice (or more). Disappointment sets in when the newsletters that have already been sent out have no effect or have not been read. Even if the learning content was communicated understandably, this doesn’t necessarily lead to a change in behaviour.
“Password manager, fine – but download it yourself.”
An important step is often neglected when implementing awareness measures. Awareness consists not only of measures that directly affect employees, but also of technical measures. Take password managers, for example: these need to be made available to employees, pre-installed on the end devices and use of the password manager needs to be practised in one (or more) training sessions. However, the aim of the training should not simply be the transfer of knowledge. The participants should be able to apply their newly acquired knowledge immediately, check their passwords and change them if necessary, and enter them into the password manager.
“Guidelines? Instructions? Everyone signed them when they started.”
Signed, yes. Understood? Less so. Guidelines are important, but it is even more important that they are understood. They don’t just need to be up-to-date and easy to understand, the employees need to be taken through them accordingly.
“They always click on phishing links anyway!”
Let’s not fool ourselves: the click-through rate for phishing simulations or attacks will never constantly (or ever) be zero. It’s not technically possible to eliminate the risk completely. Therefore, further measures are required to eliminate the existing risk. So the statement or even the assumption that people always click on phishing links anyway isn’t wrong, but from my point of view, the motivation behind it is wrong.
“What’s the point of awareness anyway?”
The answer’s quite simple: a reduced risk of behaviour that is not compliant with information security. I often have discussions and conversations with people who don’t see the point of security awareness. I’m particularly grateful for these conversations, because they often result in other aspects of awareness such as the reporting process, the acceptance of technical measures (e.g. MFA), the internal position of the cyber security department or the personal benefits of awareness.
“They’re resistant to learning!”
Awareness isn’t a one-off measure. As already described, it takes more than just imparting knowledge. Accompanying measures that remind people of the behavioural patterns, discussions about the topic among employees and a constant examination of the topic are part of the (compulsory) program. Furthermore, a mix of different training measures is necessary to reach all types of learners. Positive communication is what it’s ultimately about.
“Personal issues have no place in awareness training.”
Often personal actions and habits are carried over into the professional environment. When trying to adapt the focus of the content of awareness training to the personal environment, I often hear the above statement. Offering training for topics outside the business context offers high prospects of success. Not only do many topics overlap, but also behavioural patterns can easily be transferred from the personal to the business sphere.
“It doesn’t get much more obvious than that!”
A high level of difficulty is usually desired for phishing simulations. Why is that? When working through the simulation, users spend several minutes on the email, with the clues and the wrong sender’s address. During this process, it is often forgotten that emails are read during the bustle of everyday life. This shows the difference between knowledge and behaviour.
“Please report incidents to: MUCHTOOLONGANDCOMPLICATED@COMPANY.COM”
Okay, that was a bit over the top... We’re back to technical measures here. There must be an easy way for employees to report incidents. For phishing emails, this is ideally done via an integrated button. It’s also good to be able to get in touch via a simple email address or by phone. The latter is mainly for the worst case, if the email infrastructure is not available and/or compromised.
Tips and tricks to easily unmask phishing emails
Security awareness is not a one-off project and behavioural change takes time. You can find easy-to-understand tips and tricks for quickly recognising phishing e-mails on our phishing poster, which you can download straight away (and also distribute to your employees).
Strengthening security awareness with strategy and experience
Cyber security awareness has its pitfalls and is more complex than is often assumed. It’s therefore all the more important to have professional and strategic support for the measures from experienced experts. Suitable security awareness campaigns and measures can not only impart the necessary basic knowledge and increase employees’ sensitivity to information security, but also bring about lasting changes in attitudes and behaviour.
Would you like to learn more about our InfoGuard security awareness services such as workshops, training courses, e-learning options, awareness communication etc.? Contact us for a no-obligation tailor-made offer. We look forward to boosting the security awareness of you and your employees!
