Your people are the most effective line of defence when it comes to Cyber Security. It’s a message that has been passionately expounded by cyber security experts for many years, but it has taken the recent hike in the profile of cybercrime for people start to really start listening.
Today’s webinar was a chance to gain a little insight into the topics of cybercrime and cyber awareness from two seasoned professionals with a wealth of first-hand experience. Nick Wilding leads the Cyber Resilience Best Practice division of AXELOS GBP – a joint venture between the UK Cabinet Office and Capita; and Vicki Gavin is Compliance Director and Head of Business Continuity, Information Security and Data Privacy at The Economist Group.
At Unicorn we are fortunate to count AXELOS among our strategic partners, and have worked closely with them to develop and continually improve RESILIA – an integrated best practice portfolio designed to put people at the centre of an organisation’s cyber resilience strategy. Ahead of the imminent relaunch of this suite, Nick and Vicki took some time to lend context to the need for cyber awareness training.
This morning’s webinar kicked off with a roundup of the latest statistics relating to cyber attacks:
“One thing’s for sure”, said Nick Wilding, “looking at the stats, it’s clear that at some point you will be breached.” The frequency and nature of these attacks are such that it’s easy to see where he’s coming from: over the past year alone we’ve seen everything from repeated attacks on the SWIFT network, to the sustained efforts of Russian hacking group Fancy Bear in their attempts to upset the US electoral process.
“To be honest, it’s easy to see why people end up with ‘security fatigue’, said Vicki Gavin. “We’re incessantly bombarded with frightening statistics to the point that sometimes these headlines end up just having the opposite effect. For me personally, I’ve found a way to leverage this kind of information, and the key is making it specific and relevant to the activities of your own organisation.”
“If we accept that people are our best line of defence”, continued Nick, “it’s shocking to think that in a recent study, we found that as many as 45% of organisations don’t do any kind of cyber security training, and of those that do, 81% are relying on mandatory training that is completed once a year or less.”
It’s about technology and people, not just bits and bytes.
– Vicki Gavin, The Economist
One of the anecdotes that AXELOS have come back to time and again is that of Jim Baines – a personal friend of Nick Wilding, and a CEO who has spoken at length about his traumatic experience at the hands of cybercriminals. Nick relayed this story today, and followed it with an extract from one of Baines’ letters that poignantly reminded others that none of us are invulnerable when it comes to falling foul of cybercrime. “Interestingly,” said Vicki, “what we seem to see time and again is the prevalence of this culture of blame. Whenever something happens, businesses are quick to want to assign blame – who’s fault was it? Who clicked on a malicious link? Who opened a phishing email? But when we’ve talked about organisations only offering cyber awareness training once a year, how are people supposed to learn?”
“They say it takes a minimum of three weeks to start developing a new habit,” she continued, “so what we really need is to start embracing this idea of continuous learning.”
When you consider AXELOS’ stats that of the firms supposedly running ‘effective cyber awareness training programmes’, no more than 50% of them had full completion rates, it’s little wonder that learning continues to be a barrier to resilience.
“In the simplest of terms, where it comes to awareness there’s too much stick and not enough carrot,” says Nick. “At the heart of it, people sometimes forget that cyber is an interesting topic – so engagement ought not to be something that’s seen as tedious.”
“The problem is often that people think just because someone is a cyber expert, that that automatically means they will be a good trainer”, asserted Vicki – followed by another acknowledgement that in order to achieve real engagement, it’s critical to make learning relevant to your target audience. Sharing her experiences of responding to attempted cyber-attacks mounted on The Economist in the past twelve months, Vicki pointed out that this is now becoming the norm for businesses operating in the digital age.
At the source of every error which is blamed on the computer, you will find at least two human errors, one of which is the error of blaming it on the computer. – Tom Gilb, US Systems Engineer
“I can tell you we’ve had 360 cyber events in the last year, of which 60 we might categorise as ‘incidents’, and 3 that were escalated to crises,” she said. “In the latter part of last year, we had a breach when an individual unwittingly gave away their user credentials by clicking on a link in a phishing email. Although the hackers then used this breach to send a further email to everyone in the business, of the 1400 people we have working for The Economist Group globally, only 50 people actually opened this email, and no one else clicked on anything. In summary, we had the whole thing contained in under 3 minutes. This is exactly the kind of compelling event that shows the true value of cyber awareness training to our board.”
Speaking about the need to promote awareness learning that really works to change behaviours across businesses, Nick said: “What we come back to time and again is this theme of storytelling – making training relevant and relatable. Don’t just tell people what the policy is, help them to make that relevant, and to interpret and understand what you want them to do in order to support it. What we see instead is lots of ‘don’t do this, don’t do that’ – but what about the why?”
“Through our partnership with Unicorn, we have moved beyond the model of once a year training,” he continued. “We have built creative, innovative, engaging learning to help businesses design and implement effective training programmes for their organisations. The RESILIA suite gives you the power to build an adaptive, efficient programme of learning, utilising diagnostic tools to test current knowledge and then deliver only relevant content to address areas of weakness. The content is a mixture of online videos; refresher snippets and tests; games and animations – and in its variety is sympathetic to the notion that people learn in different ways.”
RESILIA is designed for businesses of all sizes to help them on the journey of developing a culture that recognises the need to keep abreast of the threats posed by cybercrime. As both Nick and Vicki explained today, a business is only as resilient as its people – something that unavoidably echoes the old adage about a chain being only as strong as its weakest link. “Critically, we want to get people talking about this stuff,” said Nick. “The more that people talk about it, the more resistant they become.”
If you want to find out more about RESILIA Cyber Awareness Learning – or book a demo – you can do so here.
If I asked you for the time, would you check on your analog wristwatch? Chances are if you are a millennial you wouldn’t, as you’re probably not wearing one and you might not even own one. You’re more likely to check via some piece of versatile technology, which might be a smart phone, smart watch, tablet, fitness tracker or other multipurpose device. It’s amazing to think the effect technology has had on something as simple as telling the time, so how have advances in technology changed learning experiences and styles?
From push to pull
Technology has changed our lives and continues to do so, both at home and at work, in a rapidly evolving digital world. As a result of this, employees now have different expectations and preferences, learning styles have changed from a tradition push model to a more modern pull model. So what is push and pull and what’s the difference between them?
Historically employees would be invited to formal training, typically in a classroom, which would be at a time suitable for the trainer or training team. The employee would sit and listen whilst the trainer would go through a presentation, with the delegate taking reels of notes. The employee might be required to take a formal test (no talking or conferring please), and the success of the training and the employee would be based on the pass or failure of that test. The employee would be sent back to the workplace and often not given an opportunity to put into practice what they had learnt.
The Ebbinghaus forgetting curve, shows 50% of classroom training is forgotten in an hour if theory isn’t put into practice. So how effective could this method of training actually be? And at what cost to the organisation?
Millennials pulling away from the push model
Today’s employees, specifically millennials – who according to PwC will make up 50% of the global workforce by 2020 – expect a different kind of learning experience. The pull model, whereby employees are able to access material whenever (work, home or on the go), however (desktop PCs, laptops, mobiles, tablets and face to face) and through whatever source (search, eLearning, assessment, video share, blogs, forums, knowledge share, mentors, communities and networks) is what these employees expect, desire and need.
The 70.20.10 approach
The 70.20.10 framework, which has been gaining momentum in recent years, takes on a different approach to learning, moving away from a formal classroom environment which provides little to no practice in the workplace after a training course is complete. The principle of this learning framework is 70% experience and practice, 20% conversations with people and networks and 10% formal learning. The approach moves away from formal structured learning techniques, where it’s thought to be more costly, inefficient and does not provide flexibility for the employee or employer. The 70.20.10 approach goes hand in hand with millennial expectations and is complemented in our digital era where information, networks and communities are more easily accessible.
What can employers do?
By creating a culture where employees willingly share skills and knowledge is critical for success within an organisation. A study by BlessingWhite found employee development is one of the biggest drivers of retention and engagement, and aside from just retaining staff, employees are more capable and motivated in the workplace and within their role.
If employees are given access to the right tools and knowledge, they will drive their own development and will seek information themselves. Technology can help organisations to provide collaborative learning environments for their employees and help to create a one stop shop for employee learning, development and training resources, allowing employees to gain access to this information when they need to.
This collaborative learning space can be provided through a virtual hub, whereby learning, development and training tools and resources are all found in one place. This space allows for a continuous learning environment, whereby employees can pull on any information and resources they require at that time, in a format which is conducive to their learning style and from wherever they are. Digital eLearning modules provide interactive learning quickly and effectively to delegates, saving time and resources compared to traditional methods. Other forms of technology can also be utilised such as apps and games, through multiple channels including mobile, harnessing a 70.20.10 learning environment.
The final word on the evolving learning experience
Technology is rapidly changing the world around us, both at home and at work. With millennials soon becoming the majority of employees in the workplace, it is critical to ensure their learning and development needs are met. Moving away from a traditional push model to a pull model, whereby employees are responsible for their own development and are able to seek the information they require when, where and how they need to, will lead to more capable and motivated employees and ensure organisations are retaining talent. Time to autonomy is quicker, employees are competent and confident in their roles and organisations save on costs of traditional formal training and move to digitalised solutions, which can provide a one stop shop for employees.
This week, Emma Dunkley of the Financial Times published an amusingly titled yet insightful piece on the recent cyberattacks levelled at two major high street banks. Not to be misled by the lighthearted headline of the article, her account provided another chilling glimpse into the reality of what major banks and consumer organisations now face on almost a daily basis when it comes to protecting their data.
“The recent attacks on Lloyd’s Banking Group and Tesco Bank revealed the evolving techniques used by cybercriminals to expose financial institutions’ vulnerabilities”, she wrote, as she sought to explain the wider implications of what had happened. “The threat of cyber assaults is increasing. As banks roll out more digital services, and as more customers use technology to handle their money, cyber criminals have a greater number of entry points through which to access systems and customer data.”
On January 11th, Lloyds was hit by what is commonly known as a ‘denial of service’ attack, where hackers hijacked several of the bank’s servers and flooded their website with large amounts of traffic designed to cripple online services. Upon discovering that they could not gain access to online banking, many customers took to social media to vent their frustration, as Lloyds deployed a series of counter-measures designed to isolate the attacks and limit the damage caused.
Although large banks are typically targeted by denial of service attacks around once a month, the Lloyds incident was particularly severe – with this attack lasting far longer than the usual few hours.
“Denial of service attacks are happening 24/7 globally,” says Philip Halford, a senior adviser at financial services consultancy Bovill. “There are multiple perpetrators, often targeting the same trophy targets. They share the common objective to breach a control system sufficiently to allow or deny legitimate users access to it. The motivation can vary from criminal intent to mere bragging rights. The effect, however, can be crippling for organisations.”
Compared to the Tesco Bank fraud that took place in November last year, the Lloyds attack was relatively mild, with no customer data or money having been stolen. It is reported that the hackers behind the attack demanded a £75,000 bitcoin ransom, although it is unclear whether Lloyds bowed to this request.
Tesco Bank was not so lucky. Last year’s assault led to nearly £2.5m worth of payouts to 9000 customers who had money stolen by cyber criminals. This time, the data breach was facilitated by a weakness in one of Tesco’s mobile banking apps, which was exploited to access personal information connected to thousands of current and savings accounts. Thankfully Tesco Bank acted quickly to reimburse customers, but the incident still represents a significant and worrying reality of the risks posed by hackers.
What the attacks on Lloyds & Tesco Bank tell us about how online crime is evolving
Over the past twelve months, news of major cyberattacks has become increasingly commonplace – with 2016 seeing more sophisticated assaults than ever before.
Cyber crime is on the rise, with attackers developing increasingly sophisticated hacking techniques to break through organisations’ defences. It is one of the biggest risks to global banking, threatening to cripple lenders and defraud customers.
As the Financial Times rightfully put it, “the stakes are high”. When we consider the reputation of the UK banking sector amongst its customers, trust is a critical factor, and information security plays a huge role in this. Not only must banks consider their reputation in this matter, but also the potentially significant fines and sanctions imposed by financial regulators where institutions are seen to have failed in their obligation to protect customer information and assets.
Under the UK Data Protection Act, banks can currently be hit with a penalty of up to £500,000, but an EU directive that comes into force in May 2018 will mean companies can be fined up to 4 per cent of their global revenues for serious data breaches.
As we move into an increasingly tech-dependent world, banks and other organisations alike have an ongoing responsibility to stay ahead of the threats posed by cybercriminals – and as we so often hear, this isn’t just down to software.
Education also plays a huge part in cyber resilience, and equipping staff with the right knowledge can mitigate risk on a truly massive scale. We know that as much as 90% of all cyberattacks are mounted as a direct result of the unwitting action of a member of staff – whether that’s clicking on a phishing email, or falling foul of social engineering. Never before has it been so important to place cyber resilience at the top of your business agenda.
Interested in better understanding the implications of increased cybercrime for your business? Join our free webinar in partnership with AXELOS GBP and featuring Vicki Gavin of the Economist Group, as we explore the most effective ways to safeguard against cyberattacks. Join the webinar and explore more here.
For the full original FT article, click here.
Unless you’ve been living under a rock for the past few weeks, it’s likely that you’ll have come across the ‘Learning Ecosphere’ in some capacity. Launched at last month’s Learning Technologies show, this brand new concept seeks to reimagine the relationship between traditional and new learning methods – and offers businesses the chance to better understand how they can embrace both in order to strengthen their overall learning strategies.
Here, Mark Jones – Commercial Director of Unicorn – gives a brief overview of the Learning Ecosphere concept:
Don’t forget, you can still get your free copy of the Learning Ecosphere Whitepaper here.