The rate of cyberattacks has soared. 45% of organisations globally have been impacted by recurring cyberattacks, malware attacks have increased by an astonishing 358%, and ransomware attacks are as equally as concerning with a 435% increase.
These are the findings of Atlas VPN, who have released the data in tandem with the arrival of Cybersecurity Awareness Month.
It has become critical to manage human risks effectively as it’s still the top attack vector used by cybercriminals.
Anna Collard, SVP of content and evangelist at KnowBe4 Africa, warns that social engineering is consistently the number one root cause used by ransomware and other malware attacks to gain initial access. “There are ways of mitigating the human risk factor and engaging with your employees on a deeper level,” she comments. “Approach the training with sensitivity, ensure that your people are engaged, and that their concerns are recognised.”
While simulated phishing campaigns are very effective in educating staff about phishing, a common mistake made by companies as they embark on these campaigns is to use topics that are sensitive or can cause upset. While scammers will use topics such as a fake bonus or lay-offs very successfully in their campaigns, it’s not a good idea to use them as part of the training.
“People don’t react well to this kind of campaign and often this can backfire on the company,” says Anna. “The best way to tackle sensitive phishing topics is to provide people with the tools they need to recognise potential attacks, and, perhaps most importantly, ensure that your employees are happy. Happy and responsible people are the best protection, so work towards creating this kind of culture to achieve long-term security success.”
Another key approach is to ask people for feedback after training sessions, and to utilise that feedback effectively. Use the stick and the carrot approach rather than the terrify and torment one. If you combine negative incentives with positive ones, then people are more inclined to work towards a culture of security. This is further reflected by leadership. It’s important to get executive involvement that goes beyond sponsorship. You want your leaders to become the faces of your cybersecurity campaigns, and to walk the proverbial talk.
“People look to what their leaders are doing, so get a video clip of your senior team leaders sharing why security is important, or undertaking a phishing training course, to show that they are as committed to this as anyone else,” says Anna. “Add to this personal involvement by ensuring that you pull in all teams and silos. Work with marketing, internal comms teams, HR, and every other business department to create a comprehensive and holistic security culture.”
Another critical point is to ensure that you start off your campaign with a clear baseline. You can’t manage what you can’t measure so create a baseline view of your current security status quo by running a proficiency or security culture assessment and track this annually. This will help you to showcase improvements, and manage training more effectively. Finally, make everything fun, especially now.
“People are tired, burned out, and living online, so don’t make your cybersecurity awareness campaign boring, tedious, and time-consuming,” Anna concludes. “Make it beautiful. Ensure that communications are seamless, that content is meaningful, and that every part of the campaign is worthy of engagement. And be human. Emotions are a powerful engagement technique, so use them in your content. Tell stories, use humour, and remember that, above all else, your employees are people first.”