When it comes to cybersecurity, our minds usually jump to complicated technical protections that only your IT department understands. And while these safeguards are certainly important, the truth is hackers are increasingly focusing on social engineering attacks to get into our networks. In fact, phishing attacks are now the number one cause of successful data breaches. Employees are therefore often the first line of defense against cyber attacks. That’s why more and more cybersecurity experts are emphasizing the importance of security training for employees. Business owners need to feel confident that their employees are developing online behaviors that keep the organization secure. The problem, however, is that traditional training programs aren’t always successful in achieving these behavior changes. This is, in part, because training programs too often use “gotcha!” methods when employees make a mistake, which only discourages employees instead of motivating them. Organizations should therefore focus on programs that use positive reinforcement in security training.
One popular form of cybersecurity training is phish simulation programs, where employees are spent emails designed to look like popular phishing scams. The problem, however, is that these programs always always rely on the gotcha method. When an employee clicks on a link in a fake phishing email, typically they will see a screen telling them they got caught and are then instructed to watch an informative video. The problem is that this approach causes the employee to associate negative emotions with the training and therefore reduces the likelihood of sustained behavior change. Simply put, this type of training creates a punitive environment that discourages the individual but doesn’t create meaningful change.
Instead, one study has shown that using positive reinforcement in security training actually produces safer, longer lasting online habits. Instead of punishing bad behavior, it’s actually more effective to focus on rewarding behavior you want to see, such as reporting phish: “By focusing on helping people feel successful, the campaign produced a positive result: a 30% reduction in overall phish susceptibility, and for individuals who had already been identified as habitual “phish clickers”, a reduction from 35% susceptivity to 0%.”
The key is the associate positive behaviors with positive feelings. It’s a small thing, but the impact could help businesses save a lot of time and money down the road.
The EU’s General Data Protection Regulation (GDPR), one of the most comprehensive privacy laws in the world, celebrated its two-year anniversary last month. The regulation establishes a range of privacy and data protection rights to EU citizens, such as widened conditions for consent and the right to request companies delete user data, and requires organizations to implement technical safeguards. Along with the regulation comes some pretty hefty fines. Google, for example, received a 50 million euro fine for failing to properly state how they use consumer data. The law also requires that the GDPR commission release a report evaluating the regulation after the first two years, then every four years going forward. In compliance with the law, the commission released their report this month, broadly finding the regulation a success, but also highlighting certain areas for improvement.
According to the GDPR report, one of the regulation’s main successes is the increased awareness of the privacy rights among EU citizens, and that they are empowered to exercise those rights. The report found that 69% of the EU population above 16 has heard of the GPDR and 71% know about their country’s nation data protection agency. One issue however, is that this awareness has not fully translated into the use of these rights. The right to data portability, for example, which allows users to obtain and transfer their data, shows potential to “put individuals at the centre of the data economy,” but, according to the report, is still underutilized.
One other area of success is the flexibility of the regulation in its ability to apply to principles of the law to emerging technologies. This has been especially important recently, with the rise of the COVID-19 pandemic and the numerous tracing apps created. The report found that the GDPR has been successful in providing a framework that allows for innovation while ensuring that these new technologies are created with privacy in mind.
Areas of Improvement
Perhaps the biggest area of concern that the report highlights, is the uneven enforcement of the GDPR among EU states. All EU members states except Slovenia have adopted the law. However, the report notes that the law has not been applied consistently across the board. For example, the GDPR allows individual member states to set the age of consent for data processing, but this has created uncertainty for children and parents and made it more difficult for companies that conduct business across borders. The commission has recommended a creating codes of conduct to apply across all member states in order to allow for more consistency between states.
The GDPR report also found that there is some inconsistency when it comes to enforcing the regulations. Overall, the report found that the various data protection agencies were properly using their strengthened enforcement capabilities, but worried that resources have not been evenly divided among the agencies. While some countries that are seen as tech hubs require additional resources, the commission found that the overall budget allocation was too inconsistent.
Taking a step back, the GDPR report largely shows that the new regulation has had a positive impact on the views towards privacy, and has empowered individuals to take control of their information. The law, however, is still relatively new, and will continue to require tweaks to better serve consumers. Privacy regulations continue to be a work in progress, but are at least headed in the right direction.
When you think about different types of cyber attacks, ransomware might not be the first thing to come to your mind. It’s the sort of thing you might expect to see in a movie, but not in real life. The truth is, however, that ransomware is an increasingly common form of cyber attack. Government agencies, for example, are now a prime target for ransomware. However, it’s not just governments that should be worrying. According to one report, ransomware attacks against businesses rose by a whooping 263% in 2019. Business everywhere should therefore ensure they take precautions to prevent a ransomware attack and also have a plan in place if one does happen. To help, here is a list of 5 ransomware tips that all businesses should consider.
Ransomware Tip #1: Back It Up
Perhaps the most crucial way to protect yourself against ransomware is to have a robust and regular backup system in place. Any data that is sensitive or essential to business operations should be backed up on a regular basis. However, you have to be smart about it. Make sure your backups are stored offline or somewhere separate from your other networks. If a hacker gains access to your systems, you want to ensure they won’t be able to reach your backups. You should also regularly test your backups to ensure there is no corruption in the data. That way, if an attack occurs and they encrypt your data, you can be sure you have a backup to avoid paying the ransom.
Ransomware Tip #2: Use Security Awareness Training
Ransomware attackers often gain access to systems by first conducting phishing attacks or other forms of social engineering exploits. The key to the attackers success are employees who are not sufficiently trained in detecting emails that contain malicious links. This is just one of the many reasons more businesses should invest in security awareness training programs. For many forms of cyber attacks, your employees are your first line of defense, so making sure they have the tools needed to spot phishing attacks is a must.
Ransomware Tip #3: Stay Up to Date
Operating systems and software are constantly being updated to patch any known security vulnerabilities, but it can be easy to miss an update or put it off for another day. The problem is that attackers are constantly looking for these vulnerabilities and will prey on anyone who hasn’t updated their systems. Updating software, operating systems, and applications should therefore be a priority. In many cases, you are able to set up your systems to update automatically when a new patch is released.
Ransomware Tip #4: Segment and Limit Access
If an attacker gets into your system, you want to ensure they can’t access everything. It’s therefore important to segment your networks. This essentially just means keeping different elements of your network separate from each other so you can control how information flows from one to the others. This also involves implementing access controls so that users on your network are only able to access what they need for their job. These controls should be regularly evaluated. That way, if an attacker steals one of your user’s credentials, they won’t be able to access your entire network.
Ransomware Tip #5: Plan Your Response
Lastly, when it comes to ransomware, it’s important to not just try and prevent an attack, but also have have a plan in place in case one actually happens. Ransomware response should be included in every organization’s overall incident response plan, and you should have a team dedicated to carrying out the plan if an attack happens. Every organization’s response to a ransomware attack will be different, so response teams should sit down with members of the organization at various levels to ensure everyone is on the same page.
Maybe the biggest misconception about forming new habits is that the biggest factor for success is the motivation to change. We often imagine that as long as we want to make a change in our lives, we have the power to do it. In fact, motivation is actually the least reliable element making behavior changes. The hard truth is that simply wanting to make a change is far from enough.
The reason? Motivation isn’t a static thing, it comes and goes in waves. It’s therefore tough to keep our motivation high enough to lead to lasting behavior change. Take the response to the COVID-19 pandemic, for example. When it appeared in the U.S, we were highly motivated to socially distance. As time went on, however, more and more people started to take risks and go out more. The reason isn’t because the dangers were any less present, but because our motivation to stay inside started to wane. The point is, if the sole component to any behavior change is motivation, once that motivation starts to diminish, so will the new habit.
Of course, we have to at some level want to make a change, but we also have to realize that it’s simply not enough. Instead, we need to rely more on starting with changes that requires the least amount of motivate necessary for it to occur. This is the idea behind BJ Fogg’s Tiny Habits that we wrote about last week. If you want to start reading more, it might be tempting to try reading a chapter or two every day. But more often than not, you’re not going to be motivated to keep that up for long. Instead, if your goal is just to read one paragraph of a day a couple times a day, you’re far more likely to keep up the new habit. Then, over time, you’ll find you need less motivation to read more and more, until you don’t even think about it any more.
This can be a hard pill to swallow. We like to believe that we can do anything we set our minds to, and it’s a little disheartening to think we don’t have as much control over our motivation as we might prefer. When looked at from a different angle, however, understanding this fact allows us to focus on what we can control: setting achievable goals and rewarding ourselves when we met them. Focusing on that rather than our inability to keep our motivation high will lead to more successful behavior change.
Given that phishing attacks are now the #1 cause of successful data breaches, it’s no surprise that many individuals and organizations are looking for tools to help them get better at spotting phish. The problem, however, is that most of the available education tools reply on “passive” training material: infographics, videos, and sample phish. While this educational tools might teach you a few facts and figures, they don’t always lead to a long term change in how users respond to phish. Instead, educators should be looking for new tools and methods that change the very way we look at our emails. You know the phrase “Give someone a fish, feed him for a day. Teach someone to fish, feed him for a lifetime”? Well, the same is true for phish too.
The idea is simple: Instead of just looking at examples of phish, by engaging in the process of creating a phish you will internalize the tactics and tricks scammers in real life and will be better able to spot them.
There is actually a method that has been proven to work in similar settings, such as recognizing propaganda and misinformation. It’s called inoculation theory. The idea is similar to how vaccines work: by exposing people to small doses of something more dangerous, and by actively engaging them in the process, they can better defend themselves against the real thing in the future. Cambridge University used this theory to create an online game that asks users to create their own fake news.
In a similar way, teaching someone how to make phish creates an engaging way for users to understand how actual phishers think and what tactics they use to trick people. We believe this form of training has the potential to be far more successful in help users create long lasting change and help them stay safer online.