Despite technological advances in cybersecurity, humans remain the weakest link in companies’ security strategies – and social media isn’t helping.
Tony Walt, co-founder and director at Port443, comments: “Staff training is essential for cultivating cybersecurity awareness. Employees must understand that posting even ‘non-sensitive’ personal information can lead to identity theft. It also potentially exposes their work passwords and puts their employers at risk.”
For instance, birthday wishes on your social media profiles can help threat actors work out the first six digits of your South African ID number. Your social media profile also gives criminals clues about the seventh to tenth digits of your ID number (females 0000-4999 and males 5000-9999). The 11th digit of your ID number (0 or 1) can be deduced based on whether you’re a South African citizen or a permanent resident.
“If you work for a bank, you likely have an account with that bank too, which provides another way for a threat actor to gather information about you. All this information that is in the public sphere lets malicious actors establish trust when they communicate with you – and your staff. It leads victims to lower their guard and inadvertently reveal more sensitive data,” Walt states.
He shares the following guidelines on what works and doesn’t in cybersecurity training:
* Ongoing, targeted training is essential. This approach addresses a specific individual’s risky behaviours, such as clicking on suspicious links. “Companies should make ongoing, specific, targeted training part of their organisational processes,” Walt advises.
* Regularly simulate phishing to help employees recognise and avoid deceptive emails or phone calls. Like fire drills, simulations let employees and employers identify areas that need further training. The organisation develops a stronger defence against cyberattacks as a result, according to Walt.
* Gamify and role-play your training. These two tactics enhance employee engagement, and make learning fun and memorable. Says Walt, “More importantly, role-playing helps staff to practise appropriate responses in a controlled environment.”
* Explain why password hygiene may be a pain but is important. Help staff to understand why it’s so important to have strong, unique passwords and frequent updates. He advises, “Make it clear that although changing passwords can be annoying, it prevents unauthorised access and strengthens overall security.”
* Encourage and celebrate incident reporting. Staff may be too scared of losing their jobs to report incidents, which leaves the company clueless about vulnerabilities. “Your staff need to know they will be supported when they report an incident. This helps to ensure prompt action, and minimises damage,” Walt says.
What doesn’t work
* Lecture-style training, passive learning methods and lengthy presentations don’t engage employees. “Do everything in your power to make training fun. Otherwise you’re diminishing your people’s ability to retain information and apply it in practical situations,” he advises.
* One-and-done approaches don’t work either. Cybersecurity threats evolve rapidly, so a single training session is insufficient. Ongoing education is crucial to staying ahead of emerging risks, Walt concludes.