change management

Cybersecurity: Developing a proactive culture

Cybersecurity: Developing a proactive culture Photo : MindForest

Cybersecurity: Developing a proactive culture Photo : MindForest

In 2018, every second company in Luxembourg was targeted by a phishing attack or malware infection, making cybercrime the 2nd most reported economic crime. In the next 24 months, 43% companies expect to be subjected to an attack(1). Faced with such threats, firms can neither afford to remain ignorant nor avoid taking precautions.

What is cybercrime?

In step with digitalisation, cybercrime is multiplying and it is almost inevitable that one day a company’s website will be hacked, emails blocked or information leaked.

Cyberthreats fall into three categories2:

- Attacks on confidentiality: Stealing a personal identity, bank account details or credit card information;

- Attacks on integrity: Consist of personal or business sabotage/leaks exposing data and influencing the public to lose trust in the organisation;

- Attacks on availability: Blocking users from accessing their data until they have paid a fee or ransom.

The consequences are an evolving danger to organisations, employees and customers, as an attack can result in activity interruption, loss of trust and customers and even lead to business closure.

Human Hacking: Social Engineering

“Social engineering” is a newer trend, which exploits the common weakness found in companies: human vulnerability and psychology to bypass security systems.

To give an idea of social engineering and how quickly a company can become a victim, here are five common forms3:

1. Phishing: To obtain personal information by using link shorteners redirecting to suspicious but apparently legitimate websites, incorporating threats, fears or urgency to provoke a reaction;

2. Pretexting: Creating a pretext or scenario to build a sense of trust to then steal the target’s data or gaining access;

3. Baiting: Similar to phishing yet distinguishes itself by promising an item that the hacker uses to entice the victim(s);

4. Quid Pro Quo: A benefit is promised in exchange for information, a piece of malware installed or passwords obtained;

5. Tailgating: A non-authorised person follows an employee into a restricted area, often impersonating a delivery driver or similar.

The main flaws in organisations

One problem is the lack of high IT security levels4, even if management has become more aware of cyberthreats and has installed protective technical solutions, but today, most cybercrime is due to human error.

An effective cybersecurity plan should not only rely on technology, but also on people making smart prevention choices.

Consequently, a continuous information campaign directed at all employees and externals informing them about the challenges linked to cybersecurity is at least as important as the technical IT defence system.

The implementation of an extensive sensitisation plan needs to be accompanied with change management techniques to make employees understand the importance of cybersecurity, as well as their specific roles in protecting every type of data.

The human side of cybersecurity

At MindForest, we believe that the only way to achieve success is by putting the human being first. This also applies when changing towards a cyber-safe environment.

Creating awareness is an ongoing process with attributed ownership, and every MindForest project is analysed and tailored to meet the client’s requirements.

A healthy mix of periodic and ongoing actions are imperative to anchor a sense of cybersafety and create winning habits.

The periodic actions aim to raise awareness of security issues, while the carefully engineered cybersafety community puts emphasis on developing ongoing actions for long-term training, understanding and prevention.

Each step of the process involves real time examples, commitment and ownership to ensure comprehension of the company’s cyberstrategy.

Education and awareness are priority

Even though cybercrime is the 2nd most reported economic crime, many companies do not perform cybersecurity due diligence nor have formulated training measures and awareness plans.

However, everyone is at risk and it is crucial to include both technical and human measures in the preventive and post attack plan, as “humans are the first vector of cyberattack and ideal prey for malicious individuals who want to compromise an organisation”5.

This factor is difficult to assess and the company’s culture and strategy needs to support a “cyber-safe” mentality. Only through preparation, training and greater awareness can habits be changed towards a culture of caution and alertness to identify and prevent misconduct by malicious hackers.

1 [18.09.2018]

2WIRED Magazine, “The CIA secret to cybersecurity that no one seems to get,” December 20,2015.

3 [08.09.2019]

4Kissel, Richard : [15.09.2019]

5 [18.09.2018]