Don't Get Hit By Phishing. PHOTO: Cybercrime Magazine.

Dishing On Phishing: Look Both Ways Before You Cross The Street

Treat employees like little kids when it comes to security awareness training

Steven T. Kroll

Northport, N.Y. – Jul. 10, 2019

Traffic and cybersecurity have more in common than you might think. The physical rules of the road and the cyber rules of the web govern our actions so much that we follow them almost unconsciously.

That connection came to my mind when I spoke with Roger Grimes, data-driven defense evangelist at KnowBe4, and Marc Vazquez, assistant vice president and security awareness program manager at UMB Bank, two months ago. Both attended KB4-CON, the world’s largest security awareness user conference, organized by KnowBe4.

Nobody knows how to cross the street when they begin walking around the neighborhood. Parents must teach their children to look both ways and then use constant reminders to reinforce the habit until it becomes second nature.

We’re not born to cruise 75 mph down the interstate. Driver’s education programs deliver the skills to navigate the highway safely. Then through daily practice, people become better equipped to handle any dangers they may face on the road.   

It’s clear that training and effective practice lead to long term learning and lifetime safety for the average person. The nature of the game is to stay alert, stay safe, and stay savvy when it comes to traffic — and cybersecurity.

And yet, many people hop online, use email and post on social media without a second thought regarding safety. Our lives are inundated with the web in much the same way as traveling from one place to another. We are trained to operate safely in one space but rarely in the other.

Properly informed users make good decisions that prevent cyber intruders from causing all manner of harm. Tools and technology go only so far for cybersecurity because these are run by humans who often fall victim to phishing scams and social engineering.

“Probably 90 percent of all security incidents are due to social engineering and phishing,” says Grimes. “There’s no doubt in my mind that doing security awareness training is one of the single best things you can do to significantly decrease your cybersecurity risk.”

“You can have the best technological defenses in place, and all it takes is an employee clicking on a malicious link or attachment, or not confirming wire instructions for a money transfer for the bad guys to win,” adds Vasquez.

Each of these cyber experts agree that humans are a cyber safety hazard, but they can add a significant layer of defense to an organization’s security posture, especially when hackers break through the technology. In much the same way, cars and traffic lights are designed to protect people; however, operator error causes accidents.

Grimes says that awareness training is like teaching a little kid to look both ways before crossing a street or buckling a seatbelt. It requires nonstop effort. “You want to reinforce it enough until it becomes such a natural behavior that they aren’t even thinking about it.”

Of course, even with constant reinforcement, mistakes are made. Sometimes people get speeding tickets. When this happens, they usually stay aware of the problem for a while, according to Vasquez. However, laxity kicks back in and they forget about the dangers of not following the rules.

Running continuous phishing simulations takes care of this problem. It prevents cyber speeding tickets. “Ongoing training helps employees stay mindful to watch for potential security pitfalls on an ongoing basis,” says Vazquez.

Just like looking in both directions before crossing a street or buckling your seatbelt in a car, common sense cybersecurity should be a natural process of daily computing habits. People should immediately know what to do before opening an unsolicited hyperlink or reading a suspicious email. If not, cyber accidents will certainly be costly and dangerous.

There are more than a few consequences when it comes to traffic violations — tickets, accidents, and death. Paying attention and closely following the rules help prevent these terrible situations.

Companies that have been breached through phishing emails or social engineering suffer astounding consequences. It’s estimated that cybercrime damages will reach $6 trillion by 2021. Those who implement effective security awareness training are ahead of the bad guys, and just may avert a costly crime.

After that trip through security awareness training do you feel safer? We’re at home, parked in our driveway now. Next time your employees go out, remind them to buckle up! Or, in cyber terms, think before you click a link and catch a phish!

Stay tuned for our next monthly edition of “Dishing On Phishing,” which draws on our contacts and interviews from KB4-CON 2019. Until next time, safe travels.

Dishing On Phishing Archives

Steven T. Kroll is a public relations specialist and staff writer at Cybercrime Magazine.

Sponsored by KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We are a leader in the Gartner Magic Quadrant and the fastest-growing vendor in this space. We are proud of the fact that more than 50 percent of our team are women.