It’s Cybersecurity Awareness Month at a time when cybersecurity awareness should be on everyone’s mind. The risk of attack has soared, according to Atlas VPN (https://bit.ly/3ojkQgI) – 45% of organisations globally were impacted by recurring cyberattacks, malware up by 358%, and ransomware by 435%. Anna Collard, SVP of content and evangelist at KnowBe4 Africa (https://KnowBe4.com), warns that social engineering is consistently the number one root cause used by ransomware and other malware attacks to gain initial access.
It has become absolutely critical to manage human risks effectively as it’s still the top attack vector used by cyber criminals.
“There are ways of mitigating the human risk factor and engaging with your employees on a deeper level,” she adds. “Approach the training with sensitivity, ensure that your people are engaged, and that their concerns are recognised.”
While simulated phishing campaigns are very effective in educating staff about phishing, a common mistake made by companies as they embark on these campaigns is to use topics that are sensitive or can cause upset. While scammers will use topics such as a fake bonus or lay-offs very successfully in their campaigns, it’s not a good idea to use them as part of the training.
“People don’t react well to this kind of campaign and often this can backfire on the company,” says Collard. “The best way to tackle sensitive phishing topics is to provide people with the tools they need to recognise potential attacks, and, perhaps most importantly, ensure that your employees are happy. Happy and responsible people are the best protection, so work towards creating this kind of culture to achieve long-term security success.”
Another key approach is to ask people for feedback after training sessions, and to use that feedback. Use the stick and the carrot approach rather than the terrify and torment one. If you combine negative incentives with positive ones, then people are more inclined to work towards a culture of security. This is further reflected by leadership. It’s important to get executive involvement that goes beyond sponsorship. You want your leaders to become the faces of your cybersecurity campaigns, and to walk the proverbial talk.
“People look to what their leaders are doing, so get a video clip of your senior team leaders sharing why security is important, or undertaking a phishing training course, to show that they are as committed to this as anyone else,” says Collard. “Add to this personal involvement by ensuring that you pull in all teams and silos. Work with marketing, internal comms teams, HR, and every other business department to create a comprehensive and holistic security culture.”
Another critical point is to ensure that you start off your campaign with a clear baseline. You can’t manage what you can’t measure so create a baseline view of your current security status quo by running a proficiency or security culture assessment and track this annually. This will help you to showcase improvements, and manage training more effectively. Finally, make everything fun, especially now.
“People are tired, burned out and living online, so don’t make your cybersecurity awareness campaign boring, tedious and time consuming,” concludes Collard. “Make it beautiful. Ensure that communications are seamless, that content is meaningful, and that every part of the campaign is worthy of engagement. And be human. Emotions are a powerful engagement technique, so use them in your content. Tell stories, use humour, and remember that, above all else, your employees are people first.”
Distributed by APO Group on behalf of KnowBe4.
© Press Release 2021
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.