Human error is involved in more than 90% of cyber security breaches. With the rise of remote working in 2020, the threat of making the wrong decision while working alone and isolated from the team has exponentially increased.
Sophisticated, phishing emails don’t alleviate the situation. In fact, they are the cause of one-third of all data breaches. The most common insider threats security teams are most concerned about include phishing attacks (38%), followed by spear-phishing (21%), poor passwords (16%), and browsing of suspicious websites (7%).
The growing amount of social engineering attacks using legitimate-looking phishing emails to target victims makes it even more important to help online staff detect threats and mitigate the risk of a data breach.
To create a culture of good cyber hygiene, in other words, a human firewall, it is important to understand the three forms of human error:
Lack of knowledge You don’t know what you don’t know. If employees are not trained in cyber security issues, they can’t be blamed if they do the wrong thing. They might simply not be aware that they are not acting in the best interest of their company. Therefore, cyber awareness training is crucial to help protect remote and office workers and avoid data breaches.
Lack of attention If employees are oblivious of cyber security essentials, they most probably don’t have the amount of attention that is required to protect themselves and their employer against malicious attacks. Cyber security is not their first priority. The solution is to attract their attention through training and connection to the in-house security team.
Lack of concern For many people, following a security protocol means more work, more attention to detail, and more discipline. Why even bother? To get all employees on the same page to eliminate insider threats, it is important to show them what’s in it for them when they follow the cyber security protocol.
How can you establish cyber awareness in your organisation?
1. Prioritise cyber awareness training
As with most things in life, we raise awareness through education. To minimise cyber security issues, we highly recommend prioritising cyber hygiene training and educating all employees about the increasing risks of cyber attacks, the most common attacks, such as phishing, spear phishing, and how to identify a threatening situation.
2. Bridge the gap between departments and the security team
CISOs need to ensure that all employees are aware of and understand the security policies and the impact their actions can have on the organisation. Cyber security can’t be the job of the security team alone. To protect your organisation from inside threats, the collaboration between the security team and the other departments, including remote workers is vital. This collaboration requires open communication, which requires trust.
3. Establish best practices
You have trained your staff; they know the security policies and are more aware of suspicious-looking emails. What next? They still might need a mnemonic to decide whether to click on that link or not. A great tool is the H - A - L - T acronym:
H = Header
A = Attachment
L = Links
T = Tone
Additionally, advice your team to ask themselves a few questions, such as
1. Do I know the sender of the email?
2. Am I asked to act with urgency?
3. Does it sound too good to be true (i.e. You have won a million dollars)