Image: Gerard’s World
It’s an all too familiar setting that most of us would rather forget that it happened. We see an e-mail come through, it looks innocent enough, we click on it, or even go a step further and enter sensitive details, and… whoops.
Not only is it just plain embarrassing that we fell for it – the inner-monologue then begins about how we thought we were so intelligent that we’d recognise all the signs – but it can be seriously distressing for some because they immediately realise that they might have put themselves or their organisation at risk of ‘exposure’.
That was the topic presented by Kristin Lyons, Australia Post’s chief information security officer, who spoke to an audience at CeBIT Australia 2017 in Sydney about the potential dangers employees face when confronting malicious e-mails or links and how to deal with that situation.
The major point that Ms Lyons hit hard was the importance of training for employees to not only prevent such situations from occurring in the first place, but if they do happen, employees should be confident to speak up and warn others and inform the senior management that a breach has occurred.
“Why do people keep falling for it?” Ms Lyons asked. “It’s not because people are silly, it’s because the scams are very good at what they do.”
Wanting to reassure everyone that if they become a victim of a cyber-scam, they’re not alone and it may be just their core human vulnerabilities that sets them up for such a failure.
“The second that it happened, they know they did the wrong thing,” Ms Lyons said.
“And actually more than that, they probably got that feeling before they did that.”
She suggested that these emails rely on our emotional vulnerabilities and “might work on our sense of urgency”.
Describing a run-of-the-mill scam e-mail, she said they might ask for your Microsoft details, “or else you won’t be able to work for a day”.
“It might say you’ll get fired if you don’t transfer this money to your office account,” she said.
When one of these scamming events takes place, she suggested that they work on our emotional intelligence because “in that moment, the sense of urgency sends all that adrenaline to your brain and before you know it, you’ve clicked on that link and given your details, because all you want to do at that stage is get out of trouble”.
According to Ms Lyons, it’s not the response we would normally have, “it’s not what you would normally do”.
So now the big question is how does Australia Post put a stop to it, or at least mitigate it so that it has minimal impact to its organisation?
Ms Lyons said Australia Post spends a lot of time on awareness and training, such face-to-face training and online training.
They also make it more practical by setting up ‘online phishing simulations’, which is designed to encourage employees to report the emails, as they might have identified something that someone else didn’t.
“We’ve evolved this training somewhat, so we did run a couple of pilots where we actually ran ransomware simulations on a limited number of our people.”
