Cyber Security Awareness Training expert, Mike Ouwerkerk, shares with us his insights in his years providing fun and in-person trainings to companies as well as answering the question if humans are, indeed, the weakest link.
Mike Ouwerkerk is the founder of Web Safe Staff, an IT Security Awareness Training service based in Australia. He brings more than two decades of of IT experience from a range of business experience in multinational companies to small businesses.
It's a common quip among cyber professionals of humans being the weakest link in cyber. We know a company can have all the fancy software in place but if one person clicks a link or downloads what they shouldn't, that fancy tech has been bypassed in an instant. Of course, cyber criminals know this and is why social engineering has become one of the main tactics for scammers and the like to utilize.
Mike offers a nuanced perspective on the matter, "Are humans the weakest link? Yes. 100%...But I will clarify what I mean...When we say 'humans' or 'human firewall' and things like that, I don't like that. I think it's so impersonal treating people like some sort of object...You don't say 'how do you like my quadruped?', you say 'how do you like my dog?' It's got emotions. [Same with] people, right? So I always say 'people'.
Okay. So what about people being the weakest link? Mike suggests that the weakest link isn't everyone. Instead, he focuses in on those responsible for managing and assuming risk within the company.
He shared the analogy of a boss sending a new employee to drive the company car on an errand but the employee doesn't have a license. The boss insists, the employee runs the errand and wrecks the car. Furious, the boss yells at the employee upon his return for wrecking the car, when the employee was never taught to drive. It's the same with modern technology. Most end users have never been properly trained on how to safely navigate the cyber highways of the digital landscape yet businesses are constantly providing employees with new tech, gadgets and software without ensuring they have the proper training to safely navigate the digital connections.
"When I say it is human error, you have to look at where the responsibility lies. Where does risk lie? At the board or the management - depending on the size of the company. Did they organize for that person to get the proper training? That's their job, right? They have to deal with the risk. They have to minimize it and put the controls in place. If they're not giving the people good training and just sticking them in front of the risk, well, there's your human error."
"Human error is expecting to get the best out of your people when you haven't helped them to be at their best."
Once the higher-ups determine they need to better equip their teams to handle risk, the question remains how to get the end users to internalize the message and change behavior? People won't change, even if they have good intentions to do so, easily. Having had experience as a project manager, Mike understands the need to motivate individuals. Any time an organization wants to go through a company-wide shift, it involves change management. Regardless of the end goal, when asking employees to change their processes, procedures, or attitudes it requires some basic tactics to work on getting individuals motivated to join in with the change.
In today's work environment where employees' duration with a company is not longstanding as in previous times, it can be tricky to do this. People are in high demand. Do they care about the company enough to change their own habits?
Mike's view is if you want them to change you need to provide a level of dissatisfaction. In the case of security awareness, creating an element of dissatisfaction with the security and safety of the employee's online vulnerabilities at home is a way to establish it. By helping individuals understand the importance of better online safety habits at home, they'll have a better understanding of the importance of bringing those same habits into their work day.
Don't start with the 'weakest link' mindset, that's the wrong mindset. You're blaming them for your problem. They're not the problem, they're the solution."
One of the most effective ways to do this is through real life stories. Mike frames it in this way, "Instead of saying, 'you guys suck, now we have to train you,' maybe start off with, 'hey, cyber security is important to us; and you guys, you can unlock it for us. You can be awesome, so let's do this stuff. And guess what? There's great tips in here to keep you guys safe at home, too.' ...and build that excitement, [use] change management. Get people along for [the ride], keep it positive. And that for me is how you start this stuff."
Check Out Wizer's Real Life Stories
One trait Mike has observed over the years he's done security awareness training is that the everyday user is not generally suspicious enough. There is a lot of assuming and trust that happens online by regular people - they assume a company has done the basic security requirements to keep their data safe and they trust messages and information sent to them. Criminals know this and use it to their advantage.
Helping people learn to have a healthy dose of suspicion when operating online can make the difference between falling for a ransomware phish or pausing long enough to call and verify. As he commented, "You don't have to know all this stuff, but if you're suspicious, you take a pause."
Awareness is just the beginning. From there it's important to build on that new-found awareness; build on that internal voice and keep them suspicious of phishing and scam attempts. This is all part of the cultural change - to weave regular notices, reminders, and micro-trainings consistently throughout the year.
For those who already know the basics, it's good to provide them with the latest trends in scams. For new hires, it's important to assess their current level and provide training relevant to where they are, and introduce the importance of security from a company cultural perspective.
Storytelling is by far one of the most effective tools to use when weaving these stories and creating content. While everyone enjoys fun, a balanced dose of 'fear' can be effective when balanced with practical steps to protect themselves against such scary possibilities. The aim should be not to paralyze but to engage their brain and get the wheels turning. With any content created, it should be to empower the end user to make them confident.
---
Connect with Mike Ouwerkerk on LinkedIn, visit his website at websafestaff.com.au . Don't forget to check out our Security Awareness Manager community on LinkedIn, too.
Undermining Security Awareness - Interview with Amy Dearwester
Finding Security Awareness Training Topics - Talk with Wizer's Founder, Gabriel Friedlander
Building Healthy Security Cultures - Interview with Nadja el Fertasi
Security Awareness Community Manager's Hub