This blog post was written by guest author, Scott Wright, CEO of Click Armor.
Organizations have been facing cybersecurity threats for a very long time. And since the COVID pandemic forced millions of people to start working from home, the risks of phishing, spear phishing and social-engineering attacks have become even more obvious. How do you ensure the security of data that’s being accessed from millions of kitchen tables and guest bedrooms? This was the topic I discussed in July at Tehama’s first Digital by Default Summit. I believe part of the answer lies in what I call “cyber herd immunity”; an approach that “virtually” inoculates all your personnel against the tactics of the world’s cybercriminals.
My company, Click Armor, specializes in training workforces to recognize and thwart these attacks before they can compromise data and reputations. We do this in a very unique way, using “gamified learning” that motivates employees to engage and learn to actively defend against cyber attacks. It’s our philosophy that true cybersecurity doesn’t come from one-off training sessions – or what we call “Death by Powerpoint”. Cyber herd immunity is achieved when an attitude of vigilance is embedded throughout the corporate culture, and teams are able to adapt to changing threats through constant readiness. Our approach to cybersecurity focuses on organizations following — and consistently repeating — four crucial steps:
1. Recognize the risks
In the early years of the internet, scammers worked for the fun of it, and they didn’t get much more than bragging rights for their trouble. Times have changed, and the motivations today are more complex and sinister. Today’s hackers are part of a massive global organized crime industry that scoops an estimated $6 trillion a year from the world’s economy. (That, by the way, is $2 trillion more than the total of the world’s spending on enterprise IT.) Typically, attackers hope to get money directly through fraud or ransomware. But almost as often, they play the long game, hoping to hijack your intellectual property, your systems or your critical business processes. The risks are now a daily reality, as attackers realize that untrained employees are really the weakest link – the easiest way into an organization’s data and systems. To protect yourself, you and your people must move quickly to the second step.
2. Know how to respond
At a high level, the advice here is standard: If you suspect you’re on the receiving end of a phishing attempt, do not open the email, as that act alone can surrender personally identifiable information. If you’ve opened the email, do not click any links or attachments within, and definitely do not reply to the sender under any circumstances. Employees are then usually encouraged to report the attempt to whoever is responsible for the organization’s IT security.
The appropriate responses to phishing are well established. So why do so many people keep clicking suspicious links and downloading mysterious attachments? I believe it’s because most employees don’t understand how exposed and vulnerable they already are to these attacks, and how to defend against them. Most personnel need a much deeper understanding of how the scammers select and approach their prey, and the tell-tale clues that can often be spotted during an attack.
First, people should be aware of how much information they’ve already made publicly available. Through all their likes and shares on Facebook, LinkedIn and Twitter, many people have unwittingly overshared and provided a profile that is ripe for analysis and exploitation. Scammers recognize the very human emotions that are laid bare on social media: greed, generosity, frustration, fear and so on.
They then tailor their messages to capitalize on those emotions and disarm the recipient’s defenses. In the case of social-engineering attacks, the initial communication often seems innocent. The attacker establishes a friendly online relationship that quickly escalates to take advantage of the victim’s trust. Your workforce should be encouraged to adopt a healthy sense of skepticism about any new online friendship that seems especially flattering or helpful. If it seems too good to be true, it probably is.
3. Practice the response
When it comes to preventing these attacks, the standard corporate belief is that the problem can be addressed with one or two training sessions telling people to “be suspicious of unexpected messages”, and the occasional follow-up scolding. Unfortunately, information that gets shared this way is quickly forgotten, as employees are not motivated to engage and improve their skills. An attitude of vigilance has to be ingrained in your organization’s culture. And that means keeping your people vigilant through an ongoing practice of recognizing and thwarting cyberattacks. This sounds almost impossible, but with the right methods, like gamification, it can be very effective.
4. Stay current as threats evolve
In the early days of the internet, millions of dollars were lost to the classic “Nigerian prince” scam — the promise of a huge financial payout once the victim replied with a security deposit or banking information. While the “prince” is still communicating from time to time (with an unlimited number of variations), today’s tactics are far more sophisticated and less laughably obvious, especially when social engineering techniques are used. Your people need training to recognize and counter the fine-tuning that is constantly happening in these targeted attack campaigns.
The other threats have evolved as quickly as phishing and social engineering during the pandemic, with the world’s sudden need to work from home. Now, on top of all the pre-existing dangers, your organization has to consider the additional risks of shared computers, unprotected data, device theft and insecure Wi-Fi networks. Vague or out of date security procedures are quickly in need of updating, and people need to understand how these changes affect their daily routines.
Phishing, spear phishing and social-engineering attacks are a constant and completely predictable reality of the digital age. They are here to stay. To stop this crisis from becoming a full-blown catastrophe, your organization needs to do more than train its people; it needs to inoculate them with a cultural understanding of the importance of self-defence. Whether you call it “cyber herd immunity” or simply a “self-defending team”, it’s critical that your staff be able to spot and avoid evolving threats… or it may be “game over”.
To promote Cyber Security Awareness Month, Click Armor is now offering its new “Home Alone” gamified module for “working from home securely” for FREE through the end of October, 2020. You can learn more at www.clickarmor.ca
Tehama helps you increase the security of your at-home workforce through cloud-based virtual rooms and desktops. Our fast, scalable solution protects your organization against any individual lapse in vigilance. Through its zero-trust workspaces and built-in SOC 2 controls, Tehama takes care of data security and allows your people to focus on the work that matters. Request a free 30-day trial of Tehama.