Page 28 - Cyber Warnings August 2017
P. 28

The ‘technology-only’ approach
               In  spite  of  the  clear  role  that  human  psychology  plays  in  the  cyber  security  landscape,  the
               industry  has  strangely  yet  to  properly  confront  the  human  element  –  the  psychology,  the
               emotions, the motivators, and the lack of knowledge – which drives cyber-crime. According to a
               recent Mozilla survey, 91% of people still “don't know much about protecting themselves online”.

               This  neglect  has  meant  that  emotion  and  human  error  are  now  the  significant  inlets  for
               attackers. Verizon’s “2017 Data Breach Investigations Report” revealed that 66% of malware is
               installed via malicious email attachments and that 43% of all cyber-attacks are ‘social’ attacks
               such as phishing. Over the course of a year in a company of 100 people, Verizon estimates that
               approximately seven employees will be victims of a successful phishing attack.

               Attacks  are  growing  and  becoming  more  consequential  with  nearly  every  industry  now
               impacted, affecting even the highest rungs of business and government. In March of this year,
               Facebook and Google were conned out of $100m in a phishing scam after being tricked by a
               Lithuanian  man  impersonating  an  electronics  manufacturer.  In  July,  numerous  phishing
               attempts were made against US nuclear power stations. In August, White House officials were
               fooled by an email prankster.

               If high profile attacks like these have taught us anything, it is that cyber security needs to be a
               more holistic mission. Relying singly on security software isn’t enough.

               Learning self-defence
               Education of staff and a focus on permanently changing online behaviour is evidently part of the
               solution,  but  when  traditional  training  programs  aimed  at  cognitively  arming  staff  have  been
               proven to have minimal effect, companies need to be wary of where their money goes.

               Cyber security training needs to be about more than education. It needs to transform human
               psychology itself and fight against our instinctual human emotions that drive us to mindlessly
               click on links, even when we know full well that we shouldn’t.

               A  tick  box  approach  to  training  is  clearly  not  sufficient.  Neither  is  overwhelming  staff  with
               technical information or by giving staff useless ‘training manuals’; simply reading facts doesn’t in
               any way suggest that those facts will be acted on.


               Having  a  two-hour  training  session  once  every  few  years  is  a  pointless  venture.  It’s  well
               documented within educational psychology that people retain much more information in regular,
               smaller chunks, and the way that businesses train their staff needs to reflect this.

               Once  organisations  begin  to  take  modern,  psychologically-minded  approach  to  their  cyber
               security, they’ll be sure to find an actual, tangible change in online conduct.

               Balancing people with technology
               Today’s  businesses  have  largely  chosen  to  invest  in  technology  to  enhance  their  cyber
               defences, perhaps assuming that a technological attack is best neutralised by a technological
               defence.

                    28   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   23   24   25   26   27   28   29   30   31   32   33