In matters of cybersecurity, the sad truth is that people are unreliable and fallible, sometimes easily deceived and generally ignorant of all but the obvious online dangers. We are also inclined to be friendly and trusting, courteous to strangers and not suspicious unless the threat or danger is clear or overt. But the Internet and Web today are full of dangers and effectively dark because the lurking threats are not visible unless and until they appear on your screen. Cyberia is risky.
In that context, the threats to business and government are the same as to individuals online. There are threats to data and systems that are entirely digital. But there are many, particularly the scam or criminal variety, that are dependent on the frailty of humans. They are deceptions, con tricks that get people to open a door.
Those of us in the IT sector are pretty aware of most of the phishing and other tricks that enable criminals to get access to systems. The general public is still not. Fairly obvious phoney messages from banks and other services asking you to log on to masquerading web addresses are on the caution list. But an email from your boss or a director? Corporate email addresses can be impersonated, false ‘change of bank account’ messages from established suppliers are often very convincing and other even more sophisticated scams are out there.
Technology is an essential part of the answer, from detecting anomalous behaviour in-house to sophisticated AI detection in real time of suspicious activity online. But there is no question that humans are a vulnerable avenue of attack. Phishing and email scams in general notoriously only have a success rate of perhaps one in 100,000 or indeed one in a million. But that is enough to make them profitable. Targeted scams are more elaborate and their yield rate is unknown but likely to be way higher than scatter shots.
Which is why we at Commtech work with our partners and principals to help educate and train customers’ staff and users. We utilise our collective expertise and experience in cybersecurity to enable organisations to develop policies, digital security strategies and tools to defend their data and their systems. We also, importantly, work with expert partners to develop programmes of training for users.
Web awareness and security is not a one-off introduction. The cybersecurity landscape changes and evolves constantly and users need to be kept up to date. There are many ways to do that effectively, from case examples on intranets or in-house newsletters to occasional workshops or seminars to actual corporate security manuals. The user awareness solutions, as the systems and tools, vary widely according to the sector and size of the organisation. Banking and online retailers or social media are obvious targets. But who guessed that healthcare organisations would be high on the target list? On the other hand, even the smallest of businesses is threatened by ransomware—and is more likely to have no viable recourse to back-up data which is up to the minute or even the hour.
So user awareness training and solutions to audit user awareness are critical elements of cybersecurity.