Our humanity is the key to fighting Cyberattacks
Cyberattacks are going to get more sophisticated and frequent. How do we support our people??
Mandatory training is often not engaging - we can change that!
Organisations have data that indicates where training is mandatory and repetitive, low learner engagement is often the outcome. If your learners say they already know the content, there are two responses:
(i) Update your course with the latest in Cyber Attack techniques;? it’s an incredibly fast- moving and morbidly fascinating space, so leverage that. An update does not always have to be a fully-updated course, but maybe a ‘bite sized’ refresher. We’ve created five-minute Cyber Christmas quizzes for some partners!??
(ii) Consider offering learners an opportunity to prove their existing knowledge with a pre-assessment. The very act of taking the test will refresh them, and if they fail then the need to take the full course is validated.?
Make it personally relevant
Cyber Security threats now affect everyone of every age, whether at home, school or work. There is a level of personal danger for individuals, and that makes it personally relevant and not without jeopardy. SiyonaTech will not shy away from this reality, talking honestly about difficult topics that help tell an engaging story, making a course feel vital and urgent. By linking the personal threats that people face, with the challenges faced by organisations, we can find a hook; When an employee is learning skills that are useful in their personal life (and professional life regardless of where they work), their engagement increases.?
Address human fallibility, not technical literacy?
Artificial intelligence (AI) is creating new types of attack that come with a raft of new terminology. (Have you heard of AI Hallucinations, Harvest now, Decrypt Later, Fraud GPT, Worm GPT, RAAS?) If a Cyber Security expert designs the training, it’s possible that they’ll organise it around an A-Z of the types of attacks. This is perfectly understandable and perhaps how they best learn.?
However, I would argue that your average employee will struggle to understand the technology in any great detail and anyway, the reality is that they mostly need to understand the practical implications of the attack. Despite ‘Cyber’ conjuring up a very technical, virtual world, the reality of attacks is that they often start with quite an old- fashioned form of confidence trick. By mimicking someone who is trusted in the organisation (i.e. senior manager) through using a fake identity to encourage an employee to click on a link or share privileged information such as an account or password details. This human vulnerability is based on the need to trust, respect hierarchy, be helpful, please customers, and these are never going to change. The good news is that SiyonaTech’s Storytelling++ approach is also based on how humans understand the world, how they receive, interpret and apply information. In a high-tech world, it’s our humanity being targeted by criminals, and to a large extent, it’s training our human instincts that can protect us.?
领英推荐
Inclusivity
Literally everyone in your organisation is a potential weak spot for an attack, which means creating a learning course that is as inclusive as possible. There are techniques that should be used as standard, such as desktop and mobile compatibility, transcripts, localisation and translation. Brevity is also important, and strong visual treatments are a universal way of communicating, as is good storytelling. A bespoke learning course, rather than off the shelf, can authentically represent your environment with realistic scenarios and powerful simulations.
Criminals looking to breach a large organisation, frequently target smaller, more vulnerable companies in the supply chain. A smart response to this can be for the larger organisation to encourage its suppliers to take the same (perhaps adapted) Cyber Security training course.?
Summary
Social engineering is getting more sophisticated, with AI tools helping simulate voice and video deep fakes, pretending to be someone the victim trusts. If you were being targeted across multiple channels like SMS, email, What’sApp, MSTeams, Social Media and phone calls, from someone that looks and sounds like your manager, it’s possible that even the most resilient and sceptical person can start to doubt themselves, if not properly supported.?
Storytelling++ is SiyonaTech’s response because stories ignite emotion, allow us to learn from experiences and strengthen our values. Keeping the learning concept fresh is important;? there is no reason it can’t be a mixture of exciting, serious, fun, lighthearted and gamified stories, as long as they reflect the values and culture of your workplace.?
The ultimate performance goal is for employees to be routinely spotting and forwarding suspicious communications to their IT department, without drama or fanfare, because it’s just the normal way of working.?
Let me know if you agree in the comments below.
Cybersecurity Awareness Specialist | SSAP Certified | Expert in Innovative Security Education & Culture Transformation
5 个月To better understand how we might turn the tables regarding AI in our security programmes I'd highly recommend watching ?? and listening ???? to this short but super informative video from SANS - ???????????????????????? ???? ???????????????????? ?????????????????????????? https://www.sans.org/webcasts/introduction-ai-leveraging-cybersecurity. As ever Lance Spitzner telling it like it is. You need to register but it's well worth it! ?
Instructional Designer
5 个月I just worked on an update to a Phishing course - and you're absolutely right, Matt: Generative AI takes the threat to a whole new level. In fact, I'm in the middle of switching to Biometrics for my personal banking etc on that basis!