Android Data Recovery
Training an organisation’s staff on IT security protocols has been the business norm for years now. It remains true, however, that a large percentage of successful hacks perpetrated against businesses use just those people to come through the front door. Awareness is essential, but being aware that life online is as risky as real life is but the first step in a process that should end with knowledge and developed skills being applied.
Indeed, it seems a peculiar tragedy that in an era that has given rise to some of the cheekiest and most profitable hacks - and just when cybersecurity is having something of a triumphant moment of comeback - people far too often still manifest huge vulnerabilities simply because they didn’t get the training they needed to keep business safe online.
The old days of awareness being sufficient - where staff might flag something with IT and leave it at that - are gone. In fact, it’s precisely because business has traded on staff ‘awareness’ being sufficient that cyber criminality has turned to mingling with the rank and file. Cybersecurity in 2020 demands more than mere awareness. Staff need to be able to connect the dots, identify possibly fraudulent activity, and have mandated reactions to it, along the lines of a fire drill. Ask a group of IT consultants how often the ‘human factor’ features in their post attack salvage and analysis, and the answer is the same the world over: very often.
There are two races being run: one is between the cyber crooks and the cybersecurity fraternity, and the other is between the crooks and the millions of employees supporting business. The first is tight, often extremely hi-tech and fought in tiny increments. The second is like the high school rugby team playing the juniors - it’s often a whitewash.
- Cybersecurity training must be a regular upskill
Since cyber crooks constantly refine their strategies and tools, truly effective security training has to do the same. If you’re racing Formula One, keeping the same model car for a decade or two isn’t going to stand you in good stead to win anything. So it is with security training for a business’ staff. One might consider it safe to wager that most companies across the globe make effective security training a high priority and spend copiously on it; unfortunately, one would then be parted from their money, as only around 61 percent of polled employees understood the term ‘phishing’ in a recent report.
Understandably, there is a large contingent of global working adults who are variably aware of the dangers to be found online, but not particularly current on the issues that count. In a bigger company of say 15,000 employees, that leaves several thousand vulnerable people (who typically have extensive access) floating in the ether. Rather, it keeps several thousand potential vulnerabilities in play, no matter how technically impressive cybersecurity might be at that workplace. The same report records that only just over 30 percent of people sampled truly understand the routes and implications of ransomware, a dream statistic for data jackers.
Remarkably, as mobile copiously enters the workplace and the separation between personal and work devices (and behaviour) blurs, vishing and smishing are terms even less familiar amongst the sample group. Perhaps most uncanny, the report showed that rather than assuming that millennials are a tech-fluid generation, savvy on all issues as a matter of course, the younger demographic is often less “clued in” than older workers.
It’s akin to having staff use hand grenades as paper weights - the potential for an unpleasant experience is always there. It points to the gap between what IT security really needs and the reality on the ground, and simply says that training clearly must be more regular, extensive, and ingrained. Online security needs to be quickly elevated (and redefined) on the business agenda. When one considers that these statistics were drawn from companies where 95 percent say that they have, in fact, trained staff to recognise a phishing attempt, for example, it’s clear that ‘security training’ is often lip service that leaves no real impact.
- Both broad and niche cybersecurity training is essential
Many companies provide blanket ‘training’ for all employees, although this often amounts to no more than an orientation course, at least in terms of lasting results. Other businesses identify and train only at-risk employees, but in the email age, the shortcomings of this approach are soon manifest. Indeed, both broad but comprehensive cybersecurity training - as well as more detailed niche education - are needed. The curriculum, the nature and the frequency of training has to be critically evaluated in how it measures up to the intensity and sophistication of online fraud attempts in 2020.
With over half of the world’s businesses succumbing to phishing attacks in 2019, clearly a large amount of cybersecurity training doesn’t measure up. Frequency of training is a great place for most companies to start - if cybersecurity training is regular and compulsory, awareness tends to rise along with abilities to identify bad actors. Monthly training sessions can become an opportunity to chat over a cup of coffee, however, without any real gravity attached to the notion of being on the front line of defence.
That must change, along with the fact that even where monthly training happens, it amounts to only a handful of hours in a year for the majority of companies. Thus, frequency must be accompanied by intensity, the depiction of current examples of hacking attempts, as well as subsequent testing of knowledge. The self-help dissemination of ‘training’ materials with an accompanying assumption that staff have ‘got it’ once a few boxes are ticked is dangerously naive.
Every staff member needs to understand why they might be targeted and what it might look like. Even more crucially, workers need to be educated on the potential ramifications of lax cybersecurity, in order for the concept to become personal responsibility. Only when staff understand where they fit in and how it all ties together - and this requires far more detailed training - can business hope to see the tide turning in their favour.