Cyberattacks have spiked since the COVID pandemic. According to the FBI Internet Crime Complaint Center, total security complaints in the United States grew from 467,361 in 2019 to 847,376 in 2021, with losses topping $6.9 billion last year. The report indicates that phishing and its variants are the majority of the cases.
While companies and researchers try to keep up with the pace of hack attacks – one every 39 seconds as of May 2020, according to the UN disarmament chief Izumi Nakamitsu – and find solutions to protect users, some experts say that people are, at the end of the day, what matters the most in the equation.
“The user is the person who chooses where to click, where not to click, is the one who creates [security] controls [on their daily lives]. They are the most important link in the cybersecurity chain,” stated Rodrigo Jorge, Chief Information Security Officer at Neoway, during Brazilian event Forum E-Commerce Brasil.
However, companies are doing little to empower their employees and engage them in spotting what situations are dangerous and how to avoid and attack. “What we see in the market in that the security team is small or non-existent, lack of top-down support, and no cybersecurity culture,” he said.
“Culture” is perhaps the fundamental word in Jorge’s opinion. Without a perennial effort to make employees understand the risks and the importance of protecting themselves and the machines they use, we will keep seeing people repeating the same mistakes.
One good example of how humans tend to stick with past behaviours is an experiment at “The Chaser’s War on Everything,” a satirical show on ABC in Australia. The hosts check whether security workers would allow them to enter a building carrying a Trojan Horse behind their car, as you can see in the picture.
Apparently, the only place to deny them entry was the Turkish embassy – the territory where the city of Troy was located.
Cybersecurity does not come naturally to people. So, businesses need to establish a culture for that – which already has a name: Security ABC (Awareness, Behaviour, Culture).
The main point is to create a positive environment where someone’s behaviour, knowledge, and values influence others around them – in this case, caring about security at the workplace.
In the first stage, training on cyber threats, lectures, and games are valid actions. One example is sending employees regular alerts – three or four times a week – and asking them to report if that seems a threat. Important note: the training applies to C-level and board members too.
The company then defines goals and promotes them, constantly measuring how well they are being applied. For example, how many users report the alert as a threat. Finally, people start to think about security naturally.
“When people start to take it naturally, then we have a security culture. You don’t have to reprimand, threaten to deny access to the server, these types of attitudes,” Jorge exemplified. That is when users are empowered, and attacks are less likely to succeed.
“If employees take care, all the related stakeholders take care of security as well. People must be the strongest link of the chain,” Jorge concluded.
Journalist since eight years old, when I would read the newspaper out loud and pretend it was a radio show. Based in São Paulo, I have worked for Brazilian websites as reporter and editor before joining 6GWorld