With all the security awareness programs on the market, why are more than half of data breaches still caused by human error? Summit CEO Mike Cohn began looking at these programs and where they fell short. He shared his thoughts on the problem and solutions in this interview today with the Baltimore and Washington DC editions of Citybizlist.
First, what is security awareness and why is it so important?
Security awareness is the most cost-effective approach to reducing the risk of a cyberattack. The majority of data breaches are unintentional, caused by employees who simply don’t know whether an email is legitimate or a real company put up that website. The best way to reduce the risk of your employees being fooled is to educate them to recognize those situations and never give them a chance to happen. Most security awareness programs start off well, but have not been reinforced to effect real behavior change.
Why has security awareness failed to take hold?
That’s an interesting question. Before launching our Security Awareness Service, I read up on social psychology to see how long it takes to change behaviors and form new habits. While everyone learns at their own pace,what’s universal to learning is the frequency and duration of an activity. It was clear to me that this is where other programs fail, because they concentrate on training. Training programs are not the same as education. By nature, training is a one-time event, out of context from the rest of your job. In contrast, security awareness is an educational process that occurs over time. Our program is as long as it needs to be to make security awareness instinctive, reflexive and second nature.
Mostly I hear about Phishing. What is that?
Phishing is an attempt by a hacker to trick people into handing over confidential, personal or sensitive information: customer data, credit card numbers, bank accounts, tax returns, passwords or login credentials. Phishing emails also may attempt to get you to click on a link or attachment that can infect your computer.
What are some of the other ways people can be fooled into falling for a scam?
Cybercriminals are media savvy and use all forms of communication. They know people ignore warning signals when they are rushed, distracted or frightened. A red “security awareness” flag should go up if you are contacted about something urgent. If you are encouraged to act now before you are arrested, your account is closed, your computer will be infected, you will miss out on a great discount, or the promotion that ends today it is probably a scam that you should ignore. No matter what you’re told, you have no obligation to disclose your personal information that minute. Be vigilant about any request for information.
What other security awareness techniques should we know?
Teach your employees to consider any caller, text or email conversation to be suspect if initiated by the other party. If someone calls or sends a form to do a credit check, turn the tables. Ask for their name and identification, but do not ask for a number to call them back as the number could be fake. In fact, if they give you a hard time about providing their contact information, just assume it’s suspicious. Instead, hang up and look up the published information for that business. Call and ask to be connected to the person who just called.
I get a lot of emails that are ridiculous. Do people really fall for them?
There’s actually a reason why some criminals send emails that we would view as ludicrous and clearly bogus. It costs hackers nothing to send out millions of emails. If just one person replies to an email so obviously phony, the criminal knows this person is easy prey.
How can anyone learn enough to keep up with the ever-changing methods hackers use to trick us?
There is no need to be an expert to dramatically reduce the risk of becoming a victim. A successful security awareness program will start by teaching employees the basics, such as examples of phishing emails or fake social media profiles. Once employees are exposed to how hackers work, it is important to reinforce this time and again, through simulated phishing, “fake” notifications, news alerts, tips, etc. until they develop sensitivities that raise their alertness.
Why aren’t there software tools that can find and block these dangerous emails?
There are. Lots of them. And they probably are working hard for you. Most email systems employ layers of tools that block hundreds of emails addressed to you each day. We do this at Summit for our clients. The emails you never see are emails that can be easily verified as spam. There are other tools that compare each email to you to large databases of known phishing attacks. You probably don’t see them either. The problem is that hackers continually craft new emails designed to pass these defenses by masquerading as legitimate. This is why security awareness is so crucial. Alert people are the first line of defense.
So emails and social media can be suspect. How about websites? Are they safe?
In a word, no. Cybercriminals are great at creating knockoff websites that look exactly like the real thing, particularly with large, brand name websites that instill confidence. Just because you are looking at a website from Google, Chase, Dropbox, PayPal or Facebook doesn’t mean you can trust them if you were led to them by a link (even a link from a Google search)! These large company websites are the top 5 websites fraudulently duplicated with malware embedded to attack your computer, but there are thousands more. The best way to visit large popular sites is to type in the correct URL
One more scary fact: there are more than 1.4 Million fake websites created – every month! Most are taken down after a day, because they are put up as the site to which phishing emails are directed. Once you are led to the site bad things are downloaded to your computer while you happily read about the topic that attracted you there – planting gardens, favorite recipes, rearing children, etc.
Sorry to say, but we are never safe. The goal of security awareness is to help you live with that, and take steps to reduce your risk to as close as zero as you can.The goal of our security awareness service is to help businesses and employees initiate that change.
Connect with Mike on LinkedIn
About Summit Business Technologies
Innovative | Proven | Dynamic
Summit Business Technologies has decades of experience offering technical and business consulting support. We’re committed to the success of our customers. We offer information technology solutions and support to the Mid-Atlantic region including DC, Baltimore, Annapolis, and Northern Virginia. Headquartered in Millersville, MD, we’re conveniently located 10 minutes from BWI Airport.