As you may have heard – it is cybersecurity awareness month. While ‘kitchy’ – cybersecurity awareness should be a continuous, ongoing event – not just the month of October. And of course – we all know what the ‘weakest link’ is right? It’s Phil in accounting – isn’t it? No matter what amazing tools you have in place – someone’s distracted inattention may poke holes in your best-laid cybersecurity arsenal of tools. As pointed out in a Hacker News piece:
We’ve all heard this before. The fact that humans are a key flaw in cybersecurity strategy is hardly news – or, at least, it shouldn’t be news. But just ask Uber or Rockstar Games whether they thought that their systems were safe from social engineering.
The tech industry says this ad nauseam – and yet it is still happening. Why do employees keep getting tricked into bypassing even the most stalwart of security protocols? Is it that they have not heard of security in regard to IT? Nope. Is it that they don’t care? No – that’s not the answer either. Nor is it that they did it intentionally or were ‘dumb’. In most cases, it is because they fell for some simple social engineering trick like the one below.
‘Hey – this is Mike from the IT team. We need to access your computer to fix an issue we saw pop up. Here is the remote connection tool to run. All you have to do is click the link below’.
So why are they falling for it? Is it because they were too busy to watch the training? Do they simply forget what you said about security? Do they not catch the news? Does it matter why? At what point does ‘willful ignorance’ stop holding water when it comes to excuses as to why they ‘clicked that link’.
As stated in the article linked above – there is no magic solution for the cybersecurity implications of human behavior. The only way to get people to learn is to repeatedly and forcefully reinforce cybersecurity education. If the big companies are getting hit with this – then so is yours. From the top down – including your security team – the education needs to be continual and consistent.
Does your IT company provide cybersecurity tests and education? If not – give us a call.