There is no doubt that cyber threats are on the rise, and scammers will stop at nothing to gain access to sensitive data, with many still relying on phishing as a key way to bypass security barriers. About 60% of data breaches in 2022 led to an increase in prices that was passed onto customers, according to Tekspace. The impact of cybercrime is hitting us all in the pocket.
The average total cost of a data breach in 2022 was $4.35 million, according to a joint IBM/Ponemon Institute report. Worryingly, 83% of organizations questioned had more than one breach. The average time to identify and contain a data breach was a whopping 277 days.
One of the reasons phishing is so successful is because of human error. An employee may be momentarily distracted, or in a rush to finish a task, and the mistake is made. A link is clicked. The criminals are in.
Why Do People Click?
The problem of data breaches needs to be tackled with a more human approach, according to cyber leaders on a panel titled “Why Staff Still Click: Employee Training and Cybersecurity Best Practices to Prevent Breaches” at the PrivSec event in London, chaired by Fay Godfree, data privacy officer at Siemens Healthineers.
One root cause is that people are suffering from information fatigue, according to Susanne Bitter, digital security GRC analyst, business partner security at BP. “We are under constant overload of information,” she said. “It doesn’t matter if you are going through a training program or just doing your job, you are tired. Most of the time people click they may not even be conscious of doing it. They block out what they have done because their brain is tired.”
One new approach to communication could be to minimize the number of emails that deluge us every day, according to Robin Lennon Bylenga, information security awareness, education and communication lead at DWS Group.
“Information overload is one of the top concerns in the world—if you are dealing with 300+ emails in a day, the risk of making an error is a lot higher,” she explained. “But does every communication have to be on email? Why are we doing all our communications on email? That is a problem—that is where we as professionals have to stop blowing smoke about it and just say that if you want to stop this happening then we have to take communications in a different direction.”
Technology also has a key role in data loss prevention, said Adam Low, CTO of Zivver. “We have more tools to communicate with than ever before,” he said. “We have Teams, Slack, email and more. But the reality is if you look at email—that is the most consistently growing medium every day and it keeps increasing.”
He warned that the technology that underpins email has not evolved in decades and technology vendors need to step up their game.
“It is exactly the same technology as it was 30 years ago,” Low said. “I think technology owes us a modernization to address the shortcomings that it has. We need something that augments what we have and provides the promise of AI to help support humans in making better decisions when sending emails.”
Empowering People to Tackle the Cybercriminals
Too many organizations think that the best way to raise awareness of phishing within the company is to trick its staff into making mistakes and finding culprits. But this culture of naming and shaming is not the right way to go about tackling the problem, the panel agreed.
Instead, the approach needs to be tailored towards creating a culture of reporting a problem or error the moment it is made, without any blame or shame culture to worry about.
“As professionals we really shouldn’t appear to be tricking people,” Bylenga said. “Ultimately, we are trying to build reporting. We need to build a safe environment where people can come and admit they have clicked on something. We can then make them aware of why it is an issue and make any campaign educational and not just about trickery. You also have to train everybody and not just the lower level. Over 50% of clicks come from management.”
Low said countries with a higher level of data loss are not necessarily worse at data protection.
“Statistically the UK stands out when compared to the rest of Europe because it has lower levels of data loss, whereas a country like the Netherlands has volumes 50 times higher,” he explained. “But this does not mean more breaches are happening. It is down to a culture difference—the Netherlands has a culture of reporting, whereas the UK doesn’t. It is vital to create a culture that is supportive of its people.”
Bitter added that if staff have a greater understanding of the role they can play in security, they will step up. “Look at what you want to achieve with your workforce,” she said. “Don’t stress them out with goals or targets, let them understand why their work matters and perhaps why sending or responding to emails really fast may not be the best approach. Take more time. Help them understand that they play a valuable part and make security relatable to them perhaps through gamification, or training that they can relate to at home.”
Bylenga agreed that relatability is absolutely key. “Go to each department in your company and ask them what their day looks like, use modern stories and issues to help them understand security messaging and make sure they can relate to it.”
Related blog: The Value of Information Sharing and the Risks of Cyber-Shaming
Avoid Using Fear, Blame
Employees who have clicked on something they shouldn’t have already know they have done wrong, the panel concluded. They don’t need to be part of a blame game. The key is giving them the confidence to report any problems straight away without any fear, and making everyone from the top down aware of how their actions can prevent data loss.
By having a more informed, aware and educated workforce that fully understands how vital it is to report any security breaches immediately, you can react faster should the unthinkable happen, and keep cybercriminals at bay.