With all the technology that is available to us today, business managers have to ask themselves:
Why is it still so difficult to stop hackers from penetrating a company’s network and accessing sensitive or confidential information? The answer is… human psychology.
Despite genuine attempts among employers to offer their computer users security awareness training, whether internally or through external vendors, cyber crime is on the rise. Reliable studies have determined that phishing attacks are so effective that phishing continues to be the preferred method to gain unauthorised access to networks, protected data and financial records. In fact, over 90% of data breaches recorded in the last few years did not employ any sophisticated hacking methods. They achieved their goals through simple – but very clever – emails.
Psychology as the basis of fraud
Like business owners, hackers have noticed that security awareness training has its limitations. But the hackers also know precisely WHY. They have figured out how to mute the benefits of security training just enough to allow them to achieve their goals, by taking advantage of human psychology, and in particular two aspects of human behaviour: the average person’s reaction to FEAR and/or TEMPTATION. Take any random series of phishing emails and you will notice that the message in most cases is based on either scaring the user into taking specific immediate action to avert a danger, or promising a huge and almost instant reward in return for just a simple click.
Common examples are messages that contain false threats of potential loss of critical data or other technical problems, which will cause employees to fear the reaction of their employer and possibly losing their job. At the same time, the phishing email presents a painless solution which involves offering remote access to the company’s network. Within seconds, fear can overshadow everything else, especially if a company’s security awareness training is not reinforced regularly, or, even worse, if an employee knows that he or she has not conscientiously implemented every rule and procedure delivered during the training.
Equally popular among hackers are phishing emails that promise extraordinary rewards, such as an unexpected inheritance, an irresistible investment opportunity, or a courier delivery of a surprise gift. They know that temptation will often silence the voice inside that says: “If it sounds too good to be true, it probably is.”
Psychology as the basis of security
The good news is that psychology works both ways. Yes, companies must, by all means, offer all computer users security awareness training, and the object of such training must be to eliminate bad habits and replace them with new ones. Unfortunately, that is often much more difficult that it might appear. To achieve such change, employers have to also understand the psychology of their people. In this context, three points are worth emphasising:
- Any reference to ‘changing habits’, or ‘bad habits’, is easily perceived as a personal attack and criticism of a person’s behaviour. Make it clear that the opposite is true: that the security of your network is in their hands; that they are indispensable; that they are not the problem, but part of the solution.
- Understand that any training programmes and subsequent instructions are likely to cause a disruption of your team’s regular workflow and will therefore be seen as an inconvenience. Offer incentives and rewards for positive test scores both in individual training as well as for collective performance within a department.
- Finally, understand that the ultimate goal of security awareness training is to develop a culture of security awareness. This cannot be achieved in one or two training courses where your team is a passive audience. They have to be engaged in the process. Encourage your people to ask questions if they don’t understand the importance of certain security measures or policies. Welcome their feedback on the actual training and allow them to offer alternative suggestions to instructions they find difficult to implement. Make sure they know how much you appreciate their role in protecting the company.