We’re number one! (Oh, that’s not a good thing?)
Yes, sometimes it’s better not to be recognized. Especially if it’s in the Verizon 2020 Data Breach Investigations Report which shows new and emerging trends of the cyber threat landscape. Anyone who is anyone in cyber wants to get their hands on it as soon as it’s published (and we are no exception). As has been for many years, one of the key reasons behind data breaches involves what we do (or don’t do). In fact, this year’s report shows that 3 out of the top 5 threat actions that lead to a breach involve human’s either making mistakes or being tricked. Below is a closer look at those 3 threat actions, and the human factors they rely on.
In this year’s report, phishing attacks lead the cyber threat pack for successful breaches. It it also the most common form of social engineering used today, making up 80% of all cases. A phish attacker doesn’t need to rely on a lot of complicated technical know-how to steal information from their victims. Instead, phishing is a cyber threat that relies exclusively on manipulating people’s emotions and critical thinking skills to trick them into believing the email they are looking at is legitimate.
One surprising aspect of the report is the rise of misdelivery as a cause of data breaches. This is a different kind of human factored cyber threat: the pure and simple error. And there is nothing very complicated about it: someone within the organization will accidentally send sensitive documents or emails to the wrong person. While this may seem like a small mistake, the impact can be great, especially for industries handling highly sensitive information, such as healthcare and financial services.
Misconfigurations as a cause of data breaches is also on the rise, up nearly 5% from the previous year. Misconfigurations cover everything security personnel not setting up cloud storage properly, undefined access restrictions, or even something as simple as a disabled firewall. While this form of cyber threat involves technological tools, the issues is first and foremost with the errors made by those within an organization. Simply put, if a device, network, or database is not properly configured, the chances of a data breach sky rocket.
So What’s to Stop Us?
By and large we all understand the dangers cyber threats pose to our organizations, and the amount of tools available to defend against these threats are ever-increasing And yet, while there is now more technology to stop the intruders, at the end of the day it still comes down to the decisions we make and the behaviors we have (and which are often used against us).
We know a few things: compliance “check the box” training doesn’t work (but you knew that already); “gotcha” training once you accidentally click on a simulated phish doesn’t work because punitive reinforcement rarely creates sustained behavior change; the IT department being the only group talking about security doesn’t work because that’s what they always talk about (if not blockchain).
Ugh. So what might work? If you want to have sustained cybersecurity behavior change, three things + one need to occur: 1) you need to be clear regarding the behaviors you want to see; 2) you need to make it easy for people to do; 3) you need people to feel successful doing it. And the “+ one” is that leadership needs to be doing and talking the same thing. In other words, the behaviors need to become part of the organizational culture and value structure.
If we design the behaviors we want and put them into practice, we can stop being number one. At least as far as Verizon is concerned.
“How prone to doubt, how cautious are the wise!”
We’ve written before about how hackers and online scammers rely on human factors just as much as technological factors. They attempt to manipulate our emotions in order to trick us into handing over information or even money. However, the problem of social engineering goes beyond these tactics used by scammers. We’ve all experienced the anxious rush to check our notifications as soon as they come in. But these aren’t just simple habits we’ve developed — our phones, and especially notifications, are literally re-wiring how our brains work and even dulling our critical thinking skills.
Ever heard of Pavlov’s dog? It was an experiment conducted by the physiologist Ivan Pavlov in which he rang a bell when presenting food to a dog. Upon seeing the food, the dog naturally began to salivate. After awhile, however, Pavlov rang the bell without giving the dog any food and found that the dog began to salivate based on the sound of the bell alone, effectively re-wiring how the dog’s brain responds to certain sounds. Well, this type of conditioned response is also exactly what our phone notifications are doing to us. The ping we hear when a text or email pops up on our phone acts as a trigger for our brain to release pleasure-seeking chemicals such as dopamine. According to behavioral psychologist Susan Weinschenk, this sets us on an endless dopamine loop: “Dopamine starts you seeking, then you get rewarded for the seeking, which makes you seek more. It becomes harder and harder to stop looking at email, stop texting, or stop checking your cell phone to see if you have a message or a new text.”
However, the way that notifications re-wire our brains goes beyond the endless search for more and more messages. The pleasure-seeking response that dopamine triggers can actually lower our ability to think critically, making us more susceptible to online scams. According to research conducted by The University of Florida and Google, the cognitive effects notifications have on us can lower our decision-making ability. The research found that we are more likely to detect a scam when we are stressed and on high alert. However, hormones like dopamine that are pleasure-based lower our level of alertness and make us less likely to detect potential scams. This is especially troublesome when it comes to phishing emails. Emails notifications release these “feeling good” chemicals which in turn makes it harder for us to discern if what we’re looking at is a fake.
There are, however, some steps we can take to combat this. If notifications are re-wiring our brains to be less alert, one step we can take is to simply turn off all notifications. This can limit the dopamine release that notifications trigger. Taking a few breaths before opening an email also helps. Pausing before responding to a notification can help break the “dopamine loop” by delaying the gratification cycle. Whatever method works best is up to you. The important thing is to be aware of how you respond to things like notifications. Taking the extra few seconds to think about what you’re doing and why might just save you from falling for a phish or other online scams.
Your organization’s cybersecurity team is on edge in the best of times. The bad guys are always out there and, like offensive lineman in American Football who are only noticed when they commit a penalty, cybersecurity personal are usually noticed only when something goes wrong. Now, as the game has changed, the quick transition to work from home, combined with the plethora of COVID-19 scams, phishing, and malware drowning the cybersecurity threat intel sources—not to mention the isolation—may leave your team at a chronically high stress level. And cybersecurity is far more than just your technical safeguards. At the end of the day, the stress your team feels could lead them to put their focus in the wrong place and let their guard down.
Here’s what you can do about it
- Incorporate cybersecurity as a part of your overall business strategy process – now is the time to recognize cybersecurity as a key part of the organization’s strategy and that enables you to drive your mission forward.
- Be a part of the cybersecurity planning process – be active, listen, and understand how your team is handling this.
- Leverage your bully pulpit – communicate to the staff about the key areas your cybersecurity team is focused on and the role they are playing to keep the organization secure while everyone is working from home.
- Check in – take the time to just check in and see how they are doing. A little goes a long way.
The truth is, when it comes to cybersecurity, your first and most effective line of defense is not your firewall or encryption protocol. It’s the people that form a team dedicated to protecting your organization. Working from home poses unique cybersecurity challenges, and it’s up to you to make sure your team is given the attention they need to do their job well.
Regardless of your business or your personal situation, it is hard to imagine that you have not been impacted by COVID. Among other things, it has exposed how vulnerable we are personally. How vulnerable our company is. How vulnerable our communities are.
And these vulnerabilities can create a sense of anxiety, which can build on itself, leaving feeling us helpless.
Perhaps the single most important thing we can do when we are vulnerable is to connect. To communicate. To reach out to others. If we do nothing but isolate, the vulnerabilities expose and consume us.
Cybersecurity professionals deal with vulnerabilities all the time. Often these individuals work as a group separately or perhaps communicating with other IT members. Unfortunately, apart from compliance audit reports or token security awareness programming, cybersecurity is rarely communicated and integrated into the overall culture of the business. How many times do security professionals say of corporate users and leadership, “They just don’t understand” and c-suite, marketing or other department users say with regards to cybersecurity, “They just don’t understand.” Imagine the understanding that could occur if everyone began to lean in and communicate about these issues as one team.
Just as during these times, a key way to address vulnerabilities in your systems is by connecting and communicating across channels. The more the IT and cybersecurity team is engaging with business leaders and staff and other stakeholders, the stronger the organizational culture will be to mitigate vulnerabilities and build resilience.
At this point, many companies have instituted work at home policies. And, assuming that the organizations have taken the right steps to secure their remote workers and increase their bandwidth to handle the increased loads and redundancies, business can get back to the new normal, correct?
Not quite. The key to managing remotely is communication. And I’m not talking about emails from the company referencing COVID-19. I’m talking about ongoing communication that keeps the staff engaged, strengthens the culture and overcomes isolation.
There are many ways to do this. Here are a few you can do right away.
- Daily virtual standup meetings. Have your teams jump on a video call same time each day to have a quick chat about what went well and what blockers have come up since the prior days call. Make it video so people can see each other which improves the socialization aspect of the meeting.
- Catch them doing something good. Each day call out someone for doing something well, especially if it involves helping clients or each other. Support is now a key differentiator and it should be rewarded.
- Conduct white-hat phishing exercises. Phishing hasn’t gone away. In fact, COVID-19 has given the bad guys something else to use a lure. Keep your team digitally aware by running phishing simulations, but let them know you are doing it and reward them for any phish they report. That way you both sensitive the team to be on the lookout for suspicious emails and keep them positively engaged at the same time.
- Step up security training for privileged users. With the changes to network access and perhaps the installation of additional technologies to support remote access, it is critical you spend the time with your systems, application and network teams on security role-based training to ensure that the assets are appropriately configured. Misconfiguration poses a large cyber threat in the best of times; even more so now. Of course, make sure you are catching them doing something good, as well. (See #2 above.)
- Create standing “tea-times”. Let’s face it, part of working together is socialization. For teams not used to working remotely (and therefore not used to connecting with each other on a social basis remotely), carve out some time each day which permits them to reach out and talk to each other about whatever they want. You don’t have to over engineer this, giving permission might be all you need to do.
The resilience of an organization’s ability to respond to any challenge is in no small part due to the strength and resilience of its culture. Focusing on, communicating with, and recognizing your staff will go a long way to keep people working together. Even when they’re apart.
Subscribe to our blog here: https://mailchi.mp/90772cbff4db/dpblog