Teaching a man to Phish

There’s an old proverb that says: “Give a man a fish and you feed him for a day. Teach a man to fish, and you feed him for a lifetime.” The origins of this quote are lost in time, but it’s as relevant today as it ever was. But perhaps it requires a slight upgrade for our digital universe, to; “Show a man a Phishing email, and you’ll protect him for a day. Teach a man how to spot a phishing email and you’ll protect him for life.”

Puns aside, the relevance of this should not be lost on any of us. According to “Hiscox Cyber Readiness Report” (2019) of the 5,392 organisations surveyed, more than 3 out of 5 firms (61%) reported an attack in the last year – up from 45% the previous year.

Clearly the threat from cybercriminals isn’t going away any time soon, and in fact it’s rising all the time as it seems that hardly a week goes by without us hearing on the news of some major cyber related incident or data breach. So if this is not slowing down or going away, what can we do to be better prepared for the road ahead?

Do what you always did… and you will get what you always got.

Before we discuss what we should be doing it is worth thinking about why I believe cybercriminals are currently winning in this digital ‘arms-race’, and it is not down to the technology they use. In fact, I believe it is largely down to an area of cybersecurity we have yet to improve on.

Hardware. Software. Pinkware.

Cybercriminals know that organisations invest heavily in hardware to protect networks and the data they hold and of course invest in software that will spot trespassers into networks and systems.  If some devious hacker manages to infiltrate a network then they will most likely trip on a virtual trip-wire, contained within the hardware or software and be locked out or prevented from doing any harm.

These devices receive regular updates (aka patches) to ensure they are ready and primed for any virtual wrongdoer that may trespass on to the network.

But what about the Pinkware? The human element isn’t subject to the same level of rigour that the hardware and software is. That is why reports state that more than 90% of cyber breaches are a result of human error.  To put it simply, we are not spending enough time patching our Pinkware, and upgrading knowledge and skills surrounding cyber threats. But the scary thing is that the ‘bad guys’ know this, and they know that as users of technology we are over-reliant on the technology to protect us, and that we’re swimming in a sea of data that we don’t truly understand. It is the perfect storm.

What we need to do

Fundamentally, organisations need to remember that good cybersecurity is a combination of technical and non-technical solutions and invest in both.  There are a number of best practices organisations can follow that effectively act like a security ‘recipe’ that can be followed to put in place strong security controls.  The best one’s have a combination of focusing on people, processes, systems, and suppliers, such as ISO27001 (other frameworks are available, such as Cyber Essentials, NIST, PCI DSS etc.).

Organisations need to take into account the human aspects of cybersecurity, and build security-training programmes that focus on different areas of the business.  It is no good simply rolling out an awareness programme that is too technical for the finance team, but not technical enough for the IT team.  Within Cyberfort, we believe developing specific training for specific areas will reap the greatest rewards, because each function/department will face different risks and different threats.

Human firewalls need patching too

When we speak to organisations about their training and awareness programmes it feels like the programmes are done ‘to’ the organisation rather than ‘with’ the organisation.  ‘Death-by-PowerPoint’ or vanilla training packages tend to take a ‘one-size-fits-all’ approach to cybersecurity training which rarely meets anyone’s needs. So whilst there are some great tools around that give an overall view of cybersecurity and provide a good basis of understanding, few are tailored to fit the needs of the organisation, and the skills needed to better protect them. We are so sure that this is a key reason why so many organisations are failing at cybersecurity that we take the time to work closely with each area of the business to advise them on what the threats and vulnerabilities are to them, within their own department/function so that they ‘get it’, and can begin to internalise it.

Teach a man to phish

I believe we are currently looking at a tsunami of cybercrime, where we know the threat is on the rise but we cannot be sure of how big this is going to get. All we know for sure is that if we continue to do things the way we have always done them, we are going to repeat the mistakes we have always made.  This mistake is largely down to our focusing too heavily on technology and not on the people using the technology, therefore we need to rethink how we approach not just technology, but people too.

If this all sounds too difficult, here are some quick tips for improving your chances of making a real difference in cybersecurity;

• Identify the departments most likely to be targeted by cybercriminals (e.g. Finance)
• Identify what technology you have in place to protect the information in each function
• Consider are the technical solutions adequate? (Have you tested them?)
• What training needs do you have in each separate department? (What do THEY need to know?)
• How best can you convey the importance of cybersecurity to that team/function?
• Who can help you develop the skills you need inhouse to better protect yourself?

Remember that showing someone something and expecting them to be able to use it when they need it most, is not the best strategy.  Explain clearly why something is important, how it impacts on them and what they can do to protect themselves, their families and the organisation and you’ll have done a great job of building a more robust human firewall, and you’ll have taught them how to phish.

Afterall, isn’t it better to teach someone the skills that can benefit them not just for today, but into the future too?