When it comes to cybersecurity, technology is not enough. Yes, it is the foundation. But it is not enough to mitigate the growing threat of cybercrime. The reality is that, even with best-in-class security systems, firewalls, endpoint protections and zero-trust frameworks, without a robust and agile culture of security, the business is at risk. The Dark Reading 2021 Strategic Security Survey found that around 48% of security professionals believe that users breaking policy are likely to be the single biggest cause of a major breach in the future. This sentiment is echoed in a ITWeb and KnowBe4 study that examined cybersecurity culture and the impact of this on the South African organisation.
“Having a robust cybersecurity culture – one that consistently sensitizes people, recognises the threats that they are exposed to, and that keeps security top of mind – is imperative,” says Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 Africa. “The survey found that social engineering is on the rise, and that 41% of companies felt they should be doing more to drive security awareness within the company, and its culture. The vulnerabilities are increasing alongside remote and hybrid working, and companies are under immense pressure to stay compliant and secure.”
When people work from home, or from multiple locations, they are more vulnerable to social engineering attempts. These are increasing in sophistication and frequency at the moment, and the impact they can have on the business is significant, such as being held at ransom by cyber extortionists. The problem is that people are, well…people. The distracted executive climbing into their Uber, running late for the airport, clicking on an email that is a clever phishing attempt and hard to detect on a mobile device. The stressed worker busy with multiple tasks clicking on a SMS that tells them they are about to lose their bank details if they do not log-in right now. These are all emotion-based attacks that catch people unawares, even the people who have been rigorously trained.
“People fall for these scams because they’re distracted, busy, stressed or tired, and they make a mistake that can cost them, and their company,” says Collard. “These are the same reasons why people fall for simulations as well – they’re multitasking, they’re busy. They are overwhelmed by information and noise which impacts on their ability to think clearly and recognise the threats.”
Herbert Simon, a psychologist and economist, coined the term ‘attention economy’ and described this as the ‘bottleneck of human thought’. While he came up with this term in the 1970s, it has never been more relevant than today with human beings taking in around five times more information per day than they did in the 1980s. It is not just busy and tired, it is cognitive overload. Which takes the conversation full circle back to the importance of building an immersive security culture within the business.
“Yes, hacking humans is easier than hacking machines, but we can reshape this narrative by focusing on training and messaging that reinforce security protocols and approaches,” says Collard. “If people are trained properly, they’re harder to hack. Before they click on the link or start entering their log-in information they’ll pause. They’ll check the website credentials. They’ll ask the right questions. This moment of reflection is what makes all the training worthwhile, and is one of the reasons why 89% of respondents said that security culture was important to their operations.”
Building a culture of security taps into the invaluable potential of human intelligence and awareness. It empowers people by giving them the tools they need to assess situations more effectively and to make informed decisions around emails, clicks and actions. It is the flip side of the psychological coin used so well by cybercriminals because they now know that they are being manipulated and they have the skills needed to recognise that manipulation.
“The phishing email will come in, the person will be ready to click on the link, and then something about the tone or the style of the message will give them reason to pause and to check out the link or recognise it for what it is,” says Collard. “This is precisely what happened in a manufacturing company recently when someone tried to change bank details, the training paid off.”
Ultimately, building a culture that is reminding people about potential threats and suspicious interactions is a proven way of defending against cyber attacks and creating an aware and empowered workforce. It is not only a firewall made up of intelligent people making the right decisions, but it gives people the confidence they need to be productive and secure no matter where they work.