'You just don't put a video online one time and think that you're going to change behaviours'
Having strong security on computer networks is more essential than ever as the coronavirus lockdown has seen a sharp increase in hacking attempts, says a security expert.
“Since the pandemic started, we saw an increase in phishing of about 40 per cent and we know that when we want to change behaviours, we need to repeat the message in different ways to avoid getting phished,” says Lise Lapointe, CEO of security awareness firm Terranova Security from Laval, Que.
To achieve better cybersecurity, organizations need to immediately implement a strong training regimen to reinforce that message.
“It’s an ongoing thing, you just don’t put a video one time online and think that you’re going to change behaviours -- you need to repeat,” says Lapointe.
The best security campaign begins with internal communication about upcoming training via marketing methods such as web banners or posters, she says, and then it moves into the training component. That includes modules and micro-learning on phishing and malware, along with simulations.
At this point, HR plays a key role in amplifying the message that vigilance is important and must be constant, says Lapointe.
“HR and security have to work hand-in-hand: HR in support of security because security has the knowledge about what’s going on in the organization regarding the breaches, the risks, and they need to identify what are the important things to train the users on.”
“But they need HR to help them give that training [and to] follow up to [identify] what employees did it, who didn’t do it; to send the reminders and preparing the reports for high-level management,” she says.
When it comes to phishing — which is the biggest risk currently facing businesses -- there are several types of improper practices that need to be corrected. And using templates in the training helps to change behaviours by repeating the message, says Lapointe.
By sending out these fake phishing messages, the goal is not to punish or shame but to educate employees on the correct response, she says.
“Then if people click, they will have access to just-in-time training of a one-minute video that will explain what should you have seen in this email to recognize the risk? And what would have been the consequences if it was a real ransomware? And what should you be doing?”
“If you go too much, people are not going to pay attention anymore. But you need also to let your users know that throughout the year, they’re going to be phished. We’re looking at diminishing the click rates. The idea is not to catch them, it’s to train them,” she says.
The training modules should also be customized for each separate business line, says Lapointe.
“Depending on which department they are, HR, finance or sales, they don’t necessarily face the same type of phishing emails. Some phishing emails are targeted to finance, others are targeted to HR to get personal information on employees.”
A recent report from the U.S. showed that an additional US$15 billion per week has been spent fighting risks, while combat veterans are being trained for new roles in cybersecurity.