It is Week 4 of our 4-part series on #BECYBERSMART in conjunction with National Cyber Security Awareness month. It has been quite a journey for us, laying the framework for building up to this final post. Let’s recap what got us to here discussed in our previous 3 weeks so set the stage for Week 4: Changing Behavior Patterns.
Week 1 was all about understanding that our security layers of processes and software is not the weak link. It is the employees and their behavior patterns ingrained by human nature that is the vulnerability gap. Social engineering is designed to exploit this human nature in order to compromise integrity or gain disclosure of confidential information.
Week 2 provided us with an illustrative understanding of what it looks like in real life everyday businesses. In 2020, we have established a digital footprint that is far bigger than any physical presence we have. With this digital footprint comes risk to the probability of some type of event to be triggered that causes exponential financial loss. So, while the risks that expose business to loss has changed, the behavior patterns have not.
Week 3 spoke specifically to those events, and how successful phishing mediums lead to business email compromise losses and ransomware events to permeate the infrastructure or financial accounts of commercial businesses. These events and kinds of losses account for almost all of Cyber claims in 2019 and 2020, around 90%. What is driving these is the vulnerability of human nature, and until these behavior pattern weaknesses change, the risk will grow.
All of this begs us to ask the question “Why are we not asking more questions?”, which is our Segway into Week 4: Changing Behavior Patterns.
Every business is a house of cards. Each employee is a card in the house. It’s a structure built entirely on the foundation of its employees. The bigger the company, the bigger the structure- however, the problem in the world of cyber risk is that all it takes is one of those cards to be snatched and the entire structure collapses. One employee’s access is stolen, and the entire company becomes at risk.
We already know that despite all of the layers of security we remain vulnerable. The threat is not that we have locked all of the doors. The threat is that our employees keep willingly unlocking the doors. Let’s explore what we can do in redirecting our employee focus to a shift in fundamental behavior patterns rather than a top down approach using big words nobody understands. Since we are dealing with human nature and behavior patterns, our approach has to gain emotional investment for success.
What we need to do at every level of the organization is ASK, and this is what it means to ASK:
We are always aware of our physical presence. For example, when you walk down the beach in the sand, you see your footprint left behind. We leave our house every day and lock it when we go. We protect our possessions. We wash our cars and keep them clean and shiny. We take care of what we own. It is human nature to notice your surroundings, be aware of your threats, protect yourself from harm, and to keep what you have safe and secure. Most employees in 2020 have a physical presence in their job, but it comes with it a digital footprint that creates a non-physical presence. As an employee of a company you are not the owner of the physical footprint, but you are the owner of the non-physical footprint you have for that same company. What does this mean to you? It means you need to act like you “own the joint” and make a greater investment into keeping it safe. It means that processes and training programs given by employers are actually tools provided to you to help you protect what IS yours- your digital footprint and non-physical presence. Remember, we instinctively take care of what we own.
In the greater world we live in, we ask questions. A lot of questions. But when we go into the much smaller world which is our job, we ask a lot less questions. We do this as instinct as well because it is our human nature to appear we know more than we do. Everyone wants to be smarter than they are, and few want to own up to their mistakes or misunderstandings at the same time. This is a perfect storm for disaster. When we go to work or use work systems or devices, we need to get rid of assumption and presumption as the means of movement in our digital footprints. Assumption is when we do things because we think they are the right thing, BUT, we do not know for sure. Presumption is when we do things because we are confident we are doing the right thing even though we don’t know for sure. The former comes with a hesitancy and uncertainty- the latter with surety and certainty. Both are destructive because this kind of behavior pattern causes us to let our guard down. We get an email from the VP of Finance asking us to make a wire payment. In assumption, we don’t usually get a wire transfer request from the top, BUT, it is from the top so I will make the transfer. In presumption, the request came from the VP of Finance so it must be true. Bottom line- we need to be suspicious first, and certain once we’re not. In other words, it is better to ASK than it is to EXPLAIN.
Knowledge is information. Wisdom is what you do with it. In the era of ransomware, phishing attacks, BEC events, privacy compromises, malwares and so much more, the general citizenry of your company is lost in it all. An informed population makes better choices, and better choices lead to better patterns. For example, once upon a time everyone ate fried chicken once a week. It is what American families did. Then we found out that fried chicken was not healthy for us. Some stopped eating it altogether. Some moved to less frequency. Some did nothing. But most moved to grilled chicken instead. A behavior pattern for many was changed based on the information they had. The risks to a business that comes from non-physical fires in your non-physical property need to be communicated to employees in ways that connect emotionally with them. When we watch a movie and we begin to identify with a character’s circumstance it creates within us an invested emotion based on a fictional circumstance. This is how the ideas of “not clicking on links” and “not downloading attachments” and “password management” need to be changed from their lackluster appearance to something more invested like “not starting the fire that can burn the entire company down” or “how your credentials can be used to exploit you professionally and potentially personally”. This approach means something and more will be listening and then heeding the warning- just like fried chicken.
In closing, we can all do a better job at keeping ourselves safe. Our behavior patterns at home are our behavior patterns at work in the digital universe. Some of us are Jiminy Click Its. Some of us are rapid responders. Some of us just throw our information out there and see if it sticks. In your online identity, remember this very important rule – EVERYONE IS YOUR FRIEND, BUT NONE OF THEM CAN BE TRUSTED.
Thank you for taking this journey with us on our road to #BECYBERSMART in 2020.