The hackers are winning, and it’s not because people lack cybersecurity awareness, John Sileo says. It’s because they lack cybersecurity reflexes.
Sileo, CEO of data security think tank The Sileo Group, says businesses that really want to change the behavior of their employees must focus on “security reflex training” — building the kind of instinctive response that already makes people trash emails from anyone claiming to be a Nigerian prince.
Speaking at the 2018 Cyber Symposium this week, Sileo told the crowd that cyber awareness is not enough, and technology alone won’t save the day.
Target had the technology to detect the point-of-sale incursion that compromised the information of 110 million customers, he said, “but a human being chose to ignore that alert, and they had a multi-million dollar breach because of the human element of cybersecurity.
“What we find over and over is that the people who get that 1-in-100 final phishing email that makes it through haven’t been trained to say, ‘BS, slow down, I’m not sure this is real, I should not click on that link, I should flag it,’” Sileo said. “That’s where we’re falling short, is on the human element of it.
“If you can get your people to have a ‘B.S.’ reflex [it also stands for ‘Be Skeptical,’ he says] which is what’s missing in 90 percent of the hacks we see, the entire calculus of security changes.”
Sileo shared the features the training must have to change behavior within your organization in a meaningful way.
Security Reflex Training Must:
- Build ownership & reflexes through personal relevance.
“Your people already have a lot of this knowledge — it’s not that you’re training from a fresh start,” Sileo said. “A good example is the scam IRS phone call that says you’re about to go to jail because you didn’t pay. Your people already know it, they’ve heard it, they’ve been trained on it, they say “Baloney” and hang up. This is a great way to take something personal and attach it to what then happens in a professional setting on the inside of your office.”
- Be bite-sized, entertaining and recurring.
“It can’t happen once,” Sileo said. “You can’t set and forget. This has got to happen consistently for this to be a culture inside your organization.”
- Target specific threats, behaviors and positions
“The person in HR is being targeted for the W2 scam, and the person in finance is being targeted for a whaling scam,” he said. “The training is different for those — and your technical people already know this, but it’s not getting communicated onward in many cases.”
- Fit cultural norms that emanate from the top down.
“It has to be our CEOs, our leaders, our mayors that are exhibiting these [security reflexes] because that’s what we end up following — just like our kids end up following what we do, not what we say.”
- Utilize teachable moments externally and internally.
“When the Colorado Department of Transportation has the SamSam ransomware virus … that is a training moment” to share with your own staff, Sileo said. “Don’t go thinking this is all easy and you could’ve solved it and it would’ve never happened. If that was the case, Atlanta would’ve never been brought down by SamSam for a month, because they would’ve learned from the CDOT case. It’s all about taking these teachable moments we have — whether it’s the election being hacked or your phone having a problem — that people connect to.”
- Incentivize good behavior and retrain bad behavior.
“I see so much penalization for people who … click on the phishing email test or the actual phishing email,” Sileo said.
But that’s not when you should punish — that’s when you should train.
“And then when there is no [successful] phishing over a quarter — that’s when you celebrate,” he said. “In a company like Facebook or Google, if they have a quarter without a major phishing breach, they give their people a bonus. They incentivize the positive. We tend to still punish the negative. That does not work, from what we’ve seen.”
Editor’s note: See more of Sileo’s cybersecurity advice — and his personal account of the two information security attacks that upended his life — in the Oct. 12 edition of the Business Journal.