Based on the latest data from the Information Commissioner’s Office — that is, Q2 2019 — phishing is the most common cyber security incident experienced by businesses. In fact, over half (54%) of all cyber incidents reported to the ICO in the last quarter are as a result of phishing.
The success of phishing isn’t hard to understand. It’s easy to carry out, easy to profit from, and from the perspective of cyber security professionals, it’s notoriously difficult to defend against.
What’s even more concerning is that the phishing threat is growing: it’s growing in terms of sheer numbers (with reports indicating that some phishing attacks have more than doubled in prevalence between 2017 and 2018).
Phishing: Avoiding the growing threat to business data
The calibre of attacks is also rising: the classic advance-fee phishing scam is still making the rounds, with predictably poor spelling and grammar. But spear-phishing attacks — personalised attacks which can sometimes be highly convincing — have been on the rise for a number of years now, and show no signs of abating.
Combatting human error
Given the prevalence of human-error breaches, cyber security training is by far the most effective method of tackling human error and social engineering data breaches. A modern approach — one driven by AI and data analytics, and underpinned by behavioural science — can make a real difference to cyber security awareness, behaviour and culture, and can demonstrably reduce human cyber risk.
Why employees are a businesses weakest link — and how to remedy that
But… cyber security training is worryingly low
Amongst UK SMEs, the uptake of cyber security training is worryingly low. CybSafe’s own Securing the Supply Chain research, conducted earlier this year, showed that only about half of UK SMEs are engaging in any kind of security training.
Of these, many are simply paying lip-service to security training for compliance reasons. Their training is boring, unengaging, and non-contextualised. Only a tiny percentage of UK SMEs implement training and awareness programmes that actually have a tangible and measurable impact on the behaviour of staff and the risks they pose.
The situation is different amongst enterprise, where security training is common. Enterprises are much more likely to recognise the risks associated with the human cyber threat, and realise that action has to be taken to mitigate that risk.
However, enterprise organisations face a similar challenge to SMEs in that not all cyber security training and awareness solutions are effective. Many products on the market profess to help businesses reduce their human cyber risk — but very few do. If these solutions do have an impact on user behaviour, it usually isn’t possible to measure.
Cyber security training: Is it lacking in the enterprise?
AI-led cyber security training
The term “learning styles” is something readers have probably only come across if they’ve had experience in the education sector, but it’s essentially the understanding that every person learns slightly differently.
The idea is that there’s a preferential way in which we all absorb, process, comprehend and retain information, and this is dependent on a range of factors – cognitive, emotional and environmental factors, as well as the person’s prior experience.
With AI, it’s possible to replicate this process through software. Through machine learning and user learning preferences, it’s possible to differentiate a training programme so that individuals get an entirely bespoke experience.
Some users, for example, will want to learn through informational videos, others will like to read text, others will like to learn through gamification techniques, and others can only learn by doing. An intelligent AI can figure out which of these works best for which individuals.
Altogether, AI enables training to become much more effective and increasingly personalised to the individual over time. AI models can even predict when users are likely to forget information so that users get support at the right time, in the right way, and in a way much more likely to influence behaviour.
The role of AI in cyber security
Creating a cyber security culture
Training is certainly one step in achieving a strong cyber security culture — but it’s certainly not the whole solution.
Just because people are ‘trained’, doesn’t mean they will put knowledge into action. Indeed, study after study shows that they usually don’t. Education, by itself, doesn’t foster a cyber security culture.
Businesses need to look at awareness, behaviour and culture more holistically, and they should be paying special attention to two things in particular: firstly, incentives, and secondly, environment.
What do I mean by this? Well, first (and this may seem obvious) — people act securely only when they care about doing so. People need to have the motivation to behave securely and not just the knowledge.
Second, people are even more likely to behave securely when performing secure behaviours is seamless — when doing the right thing is the easiest thing. This is something organisations frequently ignore; a substantial part of the human cyber security problem is rooted in error-provoking technologies and environment, rather than error-prone or uninformed people.
AI and data analytics solutions can support in both of these regards.
The importance of creating a cyber security culture
It’s all well and good implementing the latest and greatest in security technology to protect an organisation from cyber threats, but will the most vulnerable companies always be those that fail to create a culture of security? Read here
Leading the cyber charge
Needless to say, the responsibility of cyber has traditionally rested with the chief security officer or CISO. But recent regulatory changes as well as high profile breaches have actually served to broaden the cyber responsibility.
Considering the rising financial, legal, and reputational damage that breaches can now cause, cyber is now, in some form or another, on the agenda of almost all c-level executives — from the CMO, to the CFO and CEO.
That shared responsibility and interest for cyber across the breadth of the c-suite can only be a good thing.