This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands Region to raise awareness among businesses and the public. Advice and information is changing daily as we navigate our way through the COVID- 19 pandemic, so please ensure you only take information from reputable sources. If you require any further information, assistance or guidance please contact the EMSOU Protect Team EMSOU Protect Team or your local Force protect team. Today’s topic is: The Human Firewall
It is quite common to read news about cyber-attacks causing huge data breaches, businesses suffering irreparable harm, and countries targeting each other in cyberspace. Such articles encourage us to imagine sophisticated hackers, employing state-of-the-art technologies. We also start to feel apathy set in - there’s nothing much we can do, right? Not so fast. If you study credible public reports and expert analysis on cybersecurity incidents, you’ll discover this startling fact: approximately seven out of ten security incidents occur due to human error and behaviour, not complicated technical attacks. Again, let that number sink in, seven out of ten! Even those attacks that are described as “sophisticated” end up having human mistakes, such as falling for phishing attacks, at their core. Cyber security, then, is fundamentally a human issue, not a technology issue. It requires a process of communication that is focused on connecting and resonating with humans. Why is this the case? As technology has evolved rapidly, cyber security tools such as firewalls, anti-malware software, email protection solutions, and a host of other things have also improved significantly. This means that it has become much harder for hackers to bypass protective security technologies. To counter this, hackers figured out that it was a lot easier, cheaper, and more worthwhile to target humans instead. They understood that instead of trying to spend time and money to hack people’s passwords, it was much easier to trick users into revealing them. Simple. So, how can we address this issue? Stay Positive. In the past, HMRC sent reminder letters to delinquent taxpayers stressing the importance of paying taxes on time. This clearly wasn’t helping much. To address this, they applied the approach of using positive peer pressure and social acceptance by adding a single line -”Nine out of ten people in the UK pay their tax on time.” That’s it. Just this simple addition contributed to increased tax compliance by 15%! (UK Government Cabinet Office 2012)
Keep Messaging Lively and Interactive
Unfortunately, awareness content can be bland, lacking humour and delivered by a speaker whose sole purpose appears to be curing insomnia. I equate it to messages such as, “Eat salad and exercise,” and we know how well this message is working out.
Consider the competition poster instead. The use of the funny but relevant picture regarding the need to patch systems gets people’s attention and in this age of information overload, attention is gold. The content will stand out amongst a barrage of other corporate content for its uniqueness. People can engage with the article by liking, sharing, and commenting, which then results in more people reading it. Do you think people would have paid attention if I would have said something like, “Patch your devices since hackers exploit vulnerabilities in unpatched systems?”
Another idea for a competition is to design a cyber mascot. The winning mascot can be proudly displayed on all future security awareness messages and materials. While this will drive excitement and engagement around cyber security, there is also the added benefit of getting recognisable branding for the awareness materials. Mascots are powerful, and if done correctly, they can make a message truly stand out. The use of Smokey Bear by the US Forest Service to raise awareness about wildfires is a classic example of this. Smokey now even has his own Twitter account! When the mascot is developed through a friendly competition and by one of your own, there will be a sense of ownership of it in the organisation and, of course, awesome brand recognition.
Given the marked rise in phishing attacks over the past few years, a phishing email writing competition is another great way to create awareness. Essentially, competitors should write a good phishing email designed to trick the victim into disclosing some sensitive information. To safeguard against unintended consequences, I would make sure that users understand what they can or can’t do - an obvious no-no being to phish anyone for real.
To ensure a controlled outcome, I would also ask competitors to submit their entry on a Word document with no embedded links or macros. The intent is to get them thinking creatively as hackers and social engineers and not allow the technically skilled to have an unfair advantage. This will help level the playing field and encourage creativity from all different groups. As an incentive, a modest but meaningful prize could be offered to the winner - feel free to email the best (and most humorous) entries for us to share!
Like this article, why not let us know?
Please report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online.
Forward suspicious emails to email@example.com.
Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).