What Mum taught me about cybersecurity
Recently, I had a chat with my Mum about why she needs to hang up the phone on potential fraud calls. I wasn't the first time. It's easy to wonder why frauds tend to be so effective with the older generations when the best practice to manage them is well-known. Anyone would tell you that you shouldn't have a conversation when the call comes in unsolicited and suspicious. Don't be polite. Just hang up the phone, right?
But that's counterintuitive to how Mum was brought up. So she has the conversation even though her son is in cybersecurity and has advised her on best practices many times over the years.
The younger generations might not have the same hang-ups about hanging up, but cycle through a few generations and we're seeing some very strange things occur around cyber awareness. Millennials – the first generation to start to use technology through education, albeit in a relatively limited manner (think computers on desks and Nokia phones), tend to be some of the savviest when it comes to being conservative online. They're typically better with passwords and understand where the risks online come from.
But then comes the true digital natives, and research has found that Gen Z tends to be so immersed in technology that they're actually the least cyber-secure generation. A total lack of fear with using technology seems to have translated to a blase quality in how they use it.
Meanwhile, now that we're starting to see the Alphas start to form their own habits online, the pendulum seems to have swung back the other way. In a world that is now inundated with generative AI, the Alphas seem to be responding by having an inherent disbelief and distrust of everything that they see online.
Here's the thing: On a generation-to-generation basis, and an individual-to-individual basis within that, people learn differently. Unlike OH&S and first aid, cyber awareness isn't a set of hard rules and regulations that need to be followed to the letter. It's more a series of best practices, influenced by culture and personality, and so cyber security awareness needs to be more tailored than a textbook approach.
One of the interesting things about cyber security is that we all know the statistics about "human error" accounting for almost all data breaches. The Hollywood image of hackers typing a million words per minute into their keyboards and brute forcing their way into a network through sheer coding skills just doesn't happen often. Instead, as research from Stanford University tells us, in around 88 per cent of cases, it's human error.
So, we know where the risk lies, and we know that the best way to limit the risk of humans making errors is to inform them. With all these generational differences, though, why would you ever try a one-size fits all cyber awareness course?
What Does Customised Cyber Awareness Look Like?
Generational differences are just one part of the equation. Another potential stigma that we all need to overcome is the idea that "human error" means "human fault." Too often, when a cyber breach occurs because someone downloaded the wrong attachment or put their password into the wrong form, we roll our eyes at the person for being "stupid" enough to fall for it.
Just like we wonder how our mothers could ever fall for a phone scam when they "know" that they just need to hang up.
Very smart people can make human error mistakes. We recently became aware of an executive whose email account was compromised. The cybercriminal acted as her and emailed the person she's been dealing with at the department to say, "Hey, I've had to change my bank account details, can you please transfer the money into that instead of the normal account." These were significant - six figures. It was only after three billing cycles that the executive realised that these were unusual payments, and that was only because they'd happened over Christmas and New Year's.
The moral to this fable is that cyber awareness training should not assume that a human error is the result of some kind of knowledge or even intelligence lack, but instead understand the circumstances of a person, across their generation, their job role, and more, and tailored to that profile.
A training course must measure the risk profile of all people in the organisation, and then map that against who in the organisation has access to the "crown jewels." For example, who has the capacity to make a payment.
All those people need to have additional checks and balances on what they can do when it comes to making a payment – it's not about getting in the way of what they need to do, but setting up a system that properly accounts for the risk while at the same time providing the tailored training program to help them recognise where the malicious requests specific to their role in the company might come from.
To overcome the challenge of "human error" resulting in data breaches we need to, firstly, understand the various profiles of both employees and customers within the organisation. If they're involved with touching data, then there is a risk that needs to be managed. And then we need to find ways to tailor the communication of that risk and training on how to avoid it to that person, specifically. One size does not fit all, and the more tailored the cyber awareness training program, the more we can have confidence that it's working.