As you know, I work as a Marketing Director for a Network Security company. You’ll probably be relieved to hear that I don’t get deeply involved in the technology, I am more about what colour it should be. This is a piece based on my own observations that I published on my LinkedIn page some time ago. It is my first work related blog post. On the subject of LinkedIn, please feel free to find me on there and connect, I’m the only Barry Mattacott on there so pretty easy to spot. You can also find me on Twitter.
Defending The Network From The Inept
Dunning – Krugger Effect and its impact on Network Security
In 1999 psychologist David Dunning and Justin Krugger experimentally observed something that many of us have had our suspicions about for a long time. Some people just aren’t bright enough to realise that they know nothing! Their test revealed a cognitive bias whereby people with very little knowledge of a subject tend to assess their ability to be far greater than what it really is. Basically they fail to see the depth of knowledge that they don’t possess. Perhaps more oddly they also recognised a reversal of the effect in those carrying high levels of skill and knowledge. These people did not realise just how skilled they were and assumed that everyone else would find it as easy as them to carry out a task.
These two phenomenon can combine to give a perfect storm in relation to your network security. On the one hand, a highly skilled network professional will have a tendency to believe that observing good security precautions is little more than common sense. Why would any staff member click on a suspicious email link, especially after they have been warned not to do it? On the other hand, some of the less gifted workers honestly believe that they know all about how the internet works and see no problem at all clicking away at a link because quite frankly, they have never heard of a drive by download or the myriad of other nasties they could be blundering into.
So in the interests of good security, don’t judge everyone else by your own high standards. Accept that on today’s highly protected networks it is often the human element that is your weakest security link.
Now you have accepted and faced your problem, what can you do about it? Force every member of staff through rigorous rounds of security awareness training burning up so much of everyone’s time that overall productivity within your organisation grinds down to zero whilst simultaneously costing a fortune? Well that would be one way to go at it. Alternatively you could engage a professional agency like KnowBe4 to carry out unobtrusive and non invasive staff testing. This will result in you receiving a confidential report of exactly who within your organisation actually is a risk. You can then focus their carefully developed security awareness training programmes exactly where you need it thus saving both productivity and cost.
It has been found that at the start of testing the failure rate for staff clicking phishing links is around a massive 30%. After a programme of testing and training this can be consistently brought down to about 5%. But those remaining 5% just don’t get it probably your best bet with those ones is to park them in a corner with a typewriter and no internet connection. I think it is fairly likely that at some stage in the future we will see lack of cyber security awareness as being used as grounds for dismissal. Many experts are already dubbing 2016 as being the year of Ransomeware with the main attack vector for it being various forms of phishing And it’s not just the little fish that are being targeted, the more exotic forms of phishing like Spear Phishing and Whale Phishing are generally aimed at director level so don’t just run the testing across the bottom end of the organisation you need to go right up through to the top perhaps even singling out the FD/CFO for particular attention and training.
Starting the testing process is easy and free visit this link and request a free exposure test: http://www.wickhill.com/knowbe4