Don’t Click That Link!

Published on 19th December 2019 Author: Rob Black

Anyone who says there is no difference between boys and girls, has never coached youth basketball.

I coach at our local YMCA — 3rd/4th graders with my son; 1st/2nd graders with my daughter. And let me tell you, I’m not even sure these two populations are of the same species.

Here’s a prime example…

When I need the kids to stop bouncing the balls so I can speak, I say, “Hold the balls.”

With the boys, I have to yell it two or three times, usually grabbing the last couple of balls just to get full compliance.

With the girls, I say it once and… magic!…complete and immediate silence.

But the differences don’t end there. I give all the kids the same homework assignment every week: “Watch a part of an NBA game and take 100 practice shots.”

When I first gave the boys the assignment, they didn’t say anything. Some did it, some didn’t.

The girls, on the other hand, responded with all sorts of questions and comments. “100 shots, that’s a lot!… What happens if I don’t do it?… Watch part of a basketball game, aargh.”

Over the weeks, it’s become clear to me that I can’t coach these two teams in the same way. They have different expectations, different attention spans, and different levels of interest in and experience with the game itself.

As it turns out, youth basketball is not the only place where this concept applies. When it comes to training your employees in the essentials of cybersecurity, here, too, we need to consider the differences among various populations within your organization.

In short, if you try to apply one approach to everyone — e.g., doing the same thing for your engineering staff as for your admin employees — you’ll confuse some, bore others and (most important) leave gaps within the cybersecurity program you are trying to implement.

Two Everyday Attacks

I’ll say more about the training I recommend in a minute, but first, it’s worth understanding where the danger lies. There is one primary point of entry for an attacker and a related attack.

Phishing. This is when someone sends an email with a nefarious attachment or link. The unsuspecting user clicks and some type of code is executed on the host computer. There are many variations, but once that happens, the bad guys are inside your organization.

Phishing is, by far, the number one way that attacks occur.

Spoofing. This is when an attacker pretends to be someone they are not. In this case, the goal is to get the recipient to take some action — an action which almost always involves sending money.

This might be a phony invoice sent to an Accounts Payable specialist. Or, it could be someone posing as your company CEO, asking an admin to buy a few hundred dollars’ worth of gift cards and send him or her the codes.

What makes both attacks particularly challenging is that they prey on the habitual responses and good nature of unsuspecting people; you can’t stop them with technology alone.

Three Steps to Effective Cybersecurity Education

#1. Train. Despite the existential threat to a business that these types of attacks represent, there are still many small and even mid-size companies that have zero cybersecurity training in place for their employees. (Excuse me while I open the window and scream.)

It is simple and economical to put in place and there are several companies that offer this kind of thing. (Click here for a list of options that we have put together.)

Employees log in, watch training videos and answer questions. Results are tracked and logged in real-time, giving you a window into both individual and company-wide progress. There are both one-time and ongoing (recommended) training options available.

#2. Differentiate. It’s important to identify the most vulnerable members of your organization.

This may be a function of their role (e.g., the accounting department or those with high-level network privileges are common targets); their level of tech sophistication (e.g., admin staff tends to be less up to speed than your engineers); or even demonstrated behavior (some of the online training tools can simulate attacks to see who tends to click on things).

#3. Design. Based on #2 above, you’ll want to implement different levels of training as appropriate. It doesn’t matter if your organization is filled with smart engineers and IT staff; the weakest links are where you’re most vulnerable.

One Size Does Not Fit All

When it comes to implementing an effective cybersecurity training program within your organization, the key question is simply this:

How can we tailor our approach so that those who need it most get it and those who don’t are not unnecessarily tormented?

And make sure to keep at it, too. As any good youth basketball coach will tell you, practice makes automatic.

Next Steps

To receive great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).