A recent survey conducted by the Department for Business Innovation and skills showed that whilst staff related breaches have dropped significantly compared to a year ago, they still play a key role in security breaches. This year alone, 58% of large organisations suffered staff related security breaches. It’s easy to consider these breaches as deliberate malicious acts from disgruntled employees taking information out of the organisation and selling it on, but in many cases the breaches resulted from a lack of awareness of ‘sophisticated attacks’. Such attacks use social engineering to manipulate individuals to perform certain acts or divulge confidential information about themselves.
Spear phishing is commonly used to target specific individuals or companies. To get individuals to release information, Cyber Criminals will use social media to gain information about a person as well as phone calls to build up an individual’s profiles. Using this information, Cyber Criminals tailor their approach and messaging to make it appear relevant and authentic to their victims. Cyber Criminals using spear phishing attacks to target companies, tend to be after commercially sensitive information, intellectual property, technology or sensitive Government related information.
Many organisations roll out e-learning as a means of raising awareness. Whilst this is important it is by no means a be all and end all solution.
So what should organisations do to ensure their training is sufficient to prevent human related breaches?
- Training is really important but it’s no good rolling out the same training to every member of staff;
- Training should be relevant, role specific, tailored to the needs of the organisation from the Board to the office floor, and updated regularly ;
- Training has to be in line with the organisation’s strategy to ensure cultural fit;
- Provide context of why the training is important to ensure a more in-depth understanding of the issues and risks;
- Relate the training to the employee’s personal online activities at home to help them safeguard their own personal information and reduce risks.