Highlights from today’s Cyber Awareness webinar
Your people are the most effective line of defence when it comes to Cyber Security. It’s a message that has been passionately expounded by cyber security experts for many years, but it has taken the recent hike in the profile of cybercrime for people start to really start listening.
Today’s webinar was a chance to gain a little insight into the topics of cybercrime and cyber awareness from two seasoned professionals with a wealth of first-hand experience. Nick Wilding leads the Cyber Resilience Best Practice division of AXELOS GBP – a joint venture between the UK Cabinet Office and Capita; and Vicki Gavin is Compliance Director and Head of Business Continuity, Information Security and Data Privacy at The Economist Group.
At Unicorn we are fortunate to count AXELOS among our strategic partners, and have worked closely with them to develop and continually improve RESILIA – an integrated best practice portfolio designed to put people at the centre of an organisation’s cyber resilience strategy. Ahead of the imminent relaunch of this suite, Nick and Vicki took some time to lend context to the need for cyber awareness training.
This morning’s webinar kicked off with a roundup of the latest statistics relating to cyber attacks:
“One thing’s for sure”, said Nick Wilding, “looking at the stats, it’s clear that at some point you will be breached.” The frequency and nature of these attacks are such that it’s easy to see where he’s coming from: over the past year alone we’ve seen everything from repeated attacks on the SWIFT network, to the sustained efforts of Russian hacking group Fancy Bear in their attempts to upset the US electoral process.
“To be honest, it’s easy to see why people end up with ‘security fatigue’, said Vicki Gavin. “We’re incessantly bombarded with frightening statistics to the point that sometimes these headlines end up just having the opposite effect. For me personally, I’ve found a way to leverage this kind of information, and the key is making it specific and relevant to the activities of your own organisation.”
“If we accept that people are our best line of defence”, continued Nick, “it’s shocking to think that in a recent study, we found that as many as 45% of organisations don’t do any kind of cyber security training, and of those that do, 81% are relying on mandatory training that is completed once a year or less.”
It’s about technology and people, not just bits and bytes. - Vicki Gavin, The Economist
One of the anecdotes that AXELOS have come back to time and again is that of Jim Baines – a personal friend of Nick Wilding, and a CEO who has spoken at length about his traumatic experience at the hands of cybercriminals. Nick relayed this story today, and followed it with an extract from one of Baines’ letters that poignantly reminded others that none of us are invulnerable when it comes to falling foul of cybercrime. “Interestingly,” said Vicki, “what we seem to see time and again is the prevalence of this culture of blame. Whenever something happens, businesses are quick to want to assign blame – who’s fault was it? Who clicked on a malicious link? Who opened a phishing email? But when we’ve talked about organisations only offering cyber awareness training once a year, how are people supposed to learn?”
“They say it takes a minimum of three weeks to start developing a new habit,” she continued, “so what we really need is to start embracing this idea of continuous learning.”
When you consider AXELOS’ stats that of the firms supposedly running ‘effective cyber awareness training programmes’, no more than 50% of them had full completion rates, it’s little wonder that learning continues to be a barrier to resilience.
“In the simplest of terms, where it comes to awareness there’s too much stick and not enough carrot,” says Nick. “At the heart of it, people sometimes forget that cyber is an interesting topic – so engagement ought not to be something that’s seen as tedious.”
“The problem is often that people think just because someone is a cyber expert, that that automatically means they will be a good trainer”, asserted Vicki – followed by another acknowledgement that in order to achieve real engagement, it’s critical to make learning relevant to your target audience. Sharing her experiences of responding to attempted cyber-attacks mounted on The Economist in the past twelve months, Vicki pointed out that this is now becoming the norm for businesses operating in the digital age.
At the source of every error which is blamed on the computer, you will find at least two human errors, one of which is the error of blaming it on the computer. – Tom Gilb, US Systems Engineer
“I can tell you we’ve had 360 cyber events in the last year, of which 60 we might categorise as ‘incidents’, and 3 that were escalated to crises,” she said. “In the latter part of last year, we had a breach when an individual unwittingly gave away their user credentials by clicking on a link in a phishing email. Although the hackers then used this breach to send a further email to everyone in the business, of the 1400 people we have working for The Economist Group globally, only 50 people actually opened this email, and no one else clicked on anything. In summary, we had the whole thing contained in under 3 minutes. This is exactly the kind of compelling event that shows the true value of cyber awareness training to our board.”
Speaking about the need to promote awareness learning that really works to change behaviours across businesses, Nick said: “What we come back to time and again is this theme of storytelling – making training relevant and relatable. Don’t just tell people what the policy is, help them to make that relevant, and to interpret and understand what you want them to do in order to support it. What we see instead is lots of ‘don’t do this, don’t do that’ – but what about the why?”
“Through our partnership with Unicorn, we have moved beyond the model of once a year training,” he continued. “We have built creative, innovative, engaging learning to help businesses design and implement effective training programmes for their organisations. The RESILIA suite gives you the power to build an adaptive, efficient programme of learning, utilising diagnostic tools to test current knowledge and then deliver only relevant content to address areas of weakness. The content is a mixture of online videos; refresher snippets and tests; games and animations – and in its variety is sympathetic to the notion that people learn in different ways.”
RESILIA is designed for businesses of all sizes to help them on the journey of developing a culture that recognises the need to keep abreast of the threats posed by cybercrime. As both Nick and Vicki explained today, a business is only as resilient as its people – something that unavoidably echoes the old adage about a chain being only as strong as its weakest link. “Critically, we want to get people talking about this stuff,” said Nick. “The more that people talk about it, the more resistant they become.”
If you want to find out more about RESILIA Cyber Awareness Learning - or book a demo - you can do so here.