You may remember the “I Love You” virus which struck back in May 2010. It is estimated that the virus cost us US$5.5- US$8.7 billion in damages worldwide and US$15 billion to remove. You would think that five years later we would have learned to be more cautious, but just last year it was revealed that a cyber gang had successfully infiltrated banks and was stealing money directly from them. One of the key tactics that they used was social engineering, which is defined as the psychological manipulation of people into performing actions or divulging confidential information1. A successful spear-phishing campaign enabled them to install malware on unsuspecting employee computers so that they could “lay in wait” and observe and capture day-to-day bank information.
A recent report by Hamilton Place Strategies, an analytical public affairs consulting firm, reveals that over the last five years the average cost of cybercrime has risen by 200%. A common theme to most of these cyber breaches is the human element. Why do we continue to fall for these tactics? Two words: human nature. Let’s look at some of reasons these tactics continue to work.
Fear is a motivator. Cybercriminals use fear to their advantage with pop-ups announcing, “Your computer has been infected! Click here to fix the problem!” or a phone call from a faux call center offering to help secure your machine through remote access. Cyber criminals are now taking advantage of the fear of the Zika virus, sending emails about the virus that contain malicious attachments. Fear causes us to react, sometimes too quickly and without thinking things through.
The “Pollyanna Principal”2 indicates that at a subconscious level humans tend to focus on the positive and be optimistic. If you don’t believe that people are “optimistic,” try to buy a lottery ticket when there is a large jackpot. Humans want to believe that something good is true; that luck is with them. We’ve all heard about emails stating that a “South African prince” or some entity has a million dollars for you. Similar examples include: Facebook posts where an airline or some other commercial business is giving away tickets, or even “free” USB drives laying on a table. The fact is, if it is too good to be true, then it probably is.
It is human nature to want to help people. At a company I worked for many years ago, an employee let someone claiming to have left their badge at home into the building. That person setup a keyboard capture and was able to collect administrative passwords and hack into the systems in order to steal corporate secrets. Compassion also leads us to try to help people calling in to find information. It is good to be helpful, but only to the “right” people.
SHARING IS CARING
Most of us have photos and information that we share through social media. If not properly protected, it is very easy for cybercriminals to get to your accounts. This form of social engineering doesn’t require the cybercriminal to speak with you. They know how to use all of the information that you have shared on various social media sites to deduce where you have accounts, where you work, what your security question answers might be and ultimately gain access to your accounts.
I know that this isn’t really a human trait but it is now a fact of life for most of us. We are all trying to juggle too much at any given point of time and this leads to a lack of attention to detail. It has been found that the Sony network breach was initiated by a massive phishing campaign asking people to reset their Apple ID passwords. These emails pointed to the link ioscareteam.net rather than apple.com and captured Apple ID information into a fake form. If you want to be secure you have to slow down and pay attention to the detail. Phishing emails have become very difficult to detect. You have to look at everything: Are the URLs correct? Are they secure? Are there typos? Do you recognize the email address of the sender? Attention to detail is the only way to be sure!
As outlined above, you cannot ignore that human nature inherently puts us at risk for cybercriminal tactics. When you put a cybersecurity plan in place the plan must consider people in conjunction with the process and technology. Without equal consideration to all three components you won’t succeed. Once you have developed your plan you can follow proven behavioral change techniques to drive the right behavior.
Behavior Change in Four Steps
Education is one of the very first steps in changing people’s behavior. Education not only provides a valuable signal to employees that they need to change their behavior but it also provides them practical ways to go about making the changes. Education must include everyone from senior leadership to each and every employee and contractor. You cannot provide training once per year and expect behavior change. I have found that companies that use a combination of methods to deliver training and deliver it in smaller chunks are most successful. Examples of training can include videos, newsletters, posters and incorporating security moments into your meetings. The topic needs to remain fresh in people’s minds and studies have shown that end users are better able to digest the information in smaller chunks.
You really can’t provide a training class and expect people’s behavior to change. You have to reinforce the good behavior. I recently read an article about “gamification” of cybersecurity . Gamification is a process that makes a game out of a business process. Examples of this in the cybersecurity world could include giving employees points for reporting security vulnerabilities like a phishing email or an attempted tailgate into the building. This is a great way to reinforce the right behavior in a positive way.
Another example comes from a Fortune 500 company that I worked with. They randomly company generated phishing emails and left USB drives on tables and desks. This not only tests training and process effectiveness, but also feeds into the measurement step.
Another important component to behavior change is having a management team that leads by example. When I see a company that is not fully succeeding in implementing a change, many times, it is because they did not have the full support of leadership. Did you know that senior management was key in the successful phishing campaign against Sony? Many of those leaders clicked on the link and provided an “in” for the cybercriminals. Senior leadership needs to be engaged and supportive in order for you to be successful.
Many companies think that the extent of measurement is whether the person passed the test that is given after the training. That is a way to measure knowledge of the material but it doesn’t measure behavioral change. An effective way to measure behavioral change is to look at real-world data.
If one of the processes is for end users to report a phishing email to IT support, you can send out a company generated phishing email to a set of employees and look at how many click on it, how many report it and how many ignore it. Other questions that you can ask yourself are: Have the number of security vulnerabilities detected early increased? Have the number of successful intrusions decreased? The answer to these types of questions will help you to measure program effectiveness and improve your processes and training. Technology can help with the metrics needed to manage measurement.
I am a big believer in Kaizen, typically used with relation to Six Sigma, it is the Japanese word for improvement. Cybercriminals continuously improve their tactics and so we had better be improving our cybersecurity programs. You could take a shotgun approach to improving cybersecurity but basing changes on measurement output which ensures that you effectively and efficiently improve .
It is important to stay up to date on the latest trends and educate your end users. If your processes and technology are showing you a trend in social engineering phone calls, emails or even tailgating you need to use the data to update your training and find ways to effectively get the message out.
To implement a successful cybersecurity program, you must consider the people, processes and technology and use metrics to continuously improve and update. If you do, then you can sleep at night knowing that you’ve provided the proper tools and training for your end users to answer the question of whether or not they should click on that email.
2Matlin and Stang – 1978