End-User Cyber Security

See what we have to say about the cyber-crime scene in South Africa:

The Cyber Security Culture Programme content

Do you know the percentage of information security incidents attributable to human error?

Researchers from Stanford University found that approximately 88 percent of all data breaches are caused by an employee mistake. Human error is still the driving force behind an overwhelming majority of cyber security problems.

There are three primary reasons:

• End-users don’t know any better;
• They are distracted; or
• They just don’t care or realise the impact.

A Cyber Security Culture is a culture in which the customs, ideas and behaviours of a business underpin its cyber security. It takes the form of a Change Management programme specifically aimed at heightening a positive attitude to cyber security amongst end users

A Cyber Security Culture harnesses the power of people, processes, policy and technology to fight this surge in cyber-crime. It is pervasive throughout the entire organisation.

In a Cyber Security Culture programme, we look at it from 7 angles; Communication, Training, Attitude Standards, Governance, Behaviour and Responsibility.

Communication

Communication is the most pervasive tool that we have in our arsenal. It creates awareness and educates users as to the critical nature of this intervention, explaining to them why cyber security is so important.

We develop a communication plan which goes beyond just broadcasting information to the audience via email, posters and the intranet.

This communication must be engaging, pervasive and consistent. We look for ways that we can bring it into the day to day work experiences of our employees using mechanisms such as competitions, gamification and rewards.

Training

End-user training is critical because in many organisations it is non-existent or ineffectual.

The end-user gets an email with arbitrary instructions: “don’t click on suspicious links or share passwords or you are required to change your password regularly”. This means less than nothing to the employee and by the end of the email, they have forgotten it, because it wasn’t important, they aren’t an idiot or security is the IT Department’s problem.

Proper training includes a robust discussion around why it is so dangerous, the types of cyber-crime, how and why it works, recognising suspicious activity, securing personal devices and understanding that everyone is responsible for cyber security. See below for Digital Bridges’ Cyber Security Training curriculum.

Attitude

A person’s attitude to cyber security can mean that they don’t think it has anything to do with them, or understand the impact it can have and so are careless. This can be measured by anonymous surveys and interventions like retraining, coaching or incorporating it into their key performance metrics.

If the person is malicious or hates his job, it can also have serious consequences.

Behaviour

Behaviour mostly has to do with how the employee responds to an actual threat. There are a number of software programmes that can mimic security threats, these can be used to test employees and how vigilant they are. The results could be turned into a competition or reward mechanism, to get end-users to be more careful.

Standards

If the organisation or institution has certain norms and standards in place, it can help to recognise anomalies. For example, standardised email addresses and fonts or even ways of structuring information and naming conventions for documents end users may realise that something is not right.

Careful users can also check out the standards of the organisation that the cyber-criminal is impersonating. For example, what is their standard naming convention on email, is it name.surname@organisation.com or initialsurname@abreviation.co.za? They should look at the last part of the address, the government is always a .gov, never a .org, where your bank may be a .co.za and your insurance company could be a .com. These are warning signs.

Governance

We will examine and update your security policies as well as sort out their dissemination and any training that is necessary.

Responsibility

Much like attitude, the employee has to understand that cyber security is everyone’s responsibility. This can be measured by anonymous surveys and interventions like creating an us verses the cyber-criminal challenge

We will use these mechanisms to help our clients create a safer and more secure workplace.