Menu
Is cybersecurity awareness a waste of time?

Is cybersecurity awareness a waste of time?

"If an organisation were to invest time and money to increase its employees’ security awareness, would it get any tangible benefits or would this just be a waste of time?"

Information security is a vast subject. We spend a lot of time talking about patch management, vulnerabilities, policies and best practices yet we seldom talk about another important aspect of security - the people using your network.

Many still question the merits of staff cybersecurity awareness. If an organisation were to invest time and money to increase its employees’ security awareness, would it get any tangible benefits or would this just be a waste of time?

Before answering this question, we need to see what tangible benefits we can get from cyber security education and we need to consider the risks we’re trying to mitigate.

High-level security talks deal mostly with risks associated with our systems and with keeping our information confidential and secure.

This may seem like a small list but as any security professional knows the number of attacks that threaten each of these core items is huge. Luckily, an IT administrator doesn’t have to fight this battle alone.

There are plenty of solutions to help an IT administrator, but even with so many solutions they are still faced with unavoidable risks. Even if you were to install every security solution ever developed, you would not be mitigating every possible attack.

A hypothetical scenario?

Take this scenario. You have a secure system running all the best and latest tools, which makes it hard for any hacker to break in. The attacker wants to gain access to a particular system and to do so he needs to use the CEO’s account.

In our scenario, the CEO is using Google’s mail services for his email - not that far-fetched.

The attacker will need to gain access to the CEO’s Google mail without raising any suspicions. Access can be gained by tricking the CEO’s phone company to redirect calls to a number of the attacker’s choice. The attacker will then initiate the Gmail password recovery using the phone call option.

With the email credentials in hand, the attacker can now log in to the CEO’s account.

The next step would be to send an email from the CEO’s account to the support team asking for remote access to a server and a credentials-reset because something critical happened. Few would refuse or question a request from their CEO in a moment of crisis.

This may sound pretty far-fetched, and it’s true that for this scenario to work a lot of stars need to align perfectly - tricking the phone company, having knowledge of specific details, finding gullible IT admins and so on.

In fact this scenario has not played out in a single event. My emphasis here is on ‘single event’. Why? Because something similar happened, not once but in two events, affecting two very prominent people.

Matthew Prince, CEO at Cloudflare had his Gmail hijacked as I explained above, and it also happened to IT company HBGray when their system was compromised by someone using their CEO’s compromised Google email account to trick support into providing remote administrative access.

When you think about it, access was gained without the need to use hacks, compromise software, exploiting a vulnerability or by running any software at all.

All it took was human interaction and social engineering. No solution can ever protect your systems against that. These attacks happen and need to be dealt with.

What can an organisation do?

Staff awareness? It is not enough to protect your employees using technology; you need to give them the knowledge to identify and properly handle security risks.

Software measures sometimes give us a false sense of security. Unfortunately, some attacks are designed to target the human element in an organisation, and no security solution is 100 percent effective.

How many times do employees come across a website link that doesn’t look quite right and they click it anyway, probably out of curiosity and believing that the antivirus or web protection software installed will do the job?

Most of the time they will be protected but why should a risk be taken if there is no direct benefit? An employee’s actions should be regarded as another security layer, not as an extra risk layer. This is why cybersecurity awareness is paramount.

So when I’m asked if staff cybersecurity awareness is a waste of time, my answer is always the same - not at all.

From where I stand, it looks like a sound investment that will benefit your organisation’s security just as much as your best solutions.

By Emmanuel Carabott - Security Research Manager, GFI Software


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarecyber securityGFI Software

Featured

Slideshows

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Reseller News has honoured the leading female front runners of the New Zealand ICT industry at the 2019 Women in ICT Awards (WIICTA) in Auckland. The awards recognised standout individuals across six categories, spanning Entrepreneur, Rising Star, Shining Star, Community, Technical and Achievement. Photos by Gino Demeer.

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA
Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Show Comments