Now that the Christmas festivities are over and a new year has dawned the time has come once again for a period of renewal, typically marked by a flurry of new year resolutions; changes to diets, perhaps, or new health and fitness regimes; commitments to complete long-standing odd-jobs around the home, or perhaps a resolution even to move house? By the middle of January, of course, many of these resolutions will have been cast aside and will have to wait until January 2015 before they see the light of day again!
But often at this time of year, our thoughts turn to changing jobs. Some of us may well have changed jobs in the new year, but many of us realise, at the start of January, that it is time to dust down our CVs, contact recruitment consultants and headhunters, scour the jobs vacancy boards and put the word out in our networks that it is time for a change.
According to Action Fraud, these ‘ransomware’ emails, originating from organised crime groups, ‘have been sent to millions of people
So picture the scene now. An email drops into your inbox. It is from K Nadler, the recruitment consultant you spoke to at NADREC Recruitment Consultancy some days ago and the subject line reads: ‘Exciting opportunity you may be interested in’. The email is from someone with whom you have had prior contact and from whom you have been half-expecting to hear. When the email arrives, you are flattered, open it eagerly and become increasingly enthusiastic as you read it:
“I am writing to you regarding the CV you recently sent me.
I have a vacancy that is suitable for you. Wytelite Productions is opening a UK office and I am searching for appropriate candidates. I will soon be asking you to come in for interview at a mutually convenient time. If you are interested in pursuing this exciting opportunity further please complete the attached form and return it to me by email.
Not having previously heard of Wytelite Productions, you resolve, almost subconsciously to research this potential employer at a later time. Meanwhile, enticed by this exciting opportunity, you click on the attachment intent on immediately completing and returning the form as requested. What opens, however, is not the recruitment form you were expecting, but an intimidating ‘splashscreen’ showing a clock counting down to zero and carrying a warning. The warning tells you that your hard drive and all the files on it is being encrypted and that there is nothing you can do to stop the encryption process. Moreover, if you do not pay a substantial sum of money before the clock reaches zero, your computer will be completely encrypted and the only copy of the key to decrypt it will be destroyed.
As a training and competence specialist, in reality, you may not yourself have gone so far as to open this email and read it, (though research shows that even those of us with some knowledge are prone to fall victim to such scams)!
But not everyone is as vigilante. According to Action Fraud, these ‘ransomware’ emails, originating from organised crime groups, ‘have been sent to millions of people, but appear to be [targeted at]small and medium businesses in particular.
It is, of course, easy for corporates with sophisticated IT systems and controls in place to assume that such emails will be automatically blocked before they reach any individual’s inbox and that as long as employees are reminded of the ‘do’s’ and ‘don’ts’ associated with email and online security, risk has been minimised. But instructions to employees that they must not click on email attachments unless the source of the email can be verified, or that their devices must have security software installed that updates automatically, or that they must make regular backups, tend to fall on deaf ears. In part, this is because, for many, the desire for convenience frequently overrides any interest they may have in online security.
But we should also bear in mind that in the increasingly digital age in which we live, the suppliers and providers with whom we interact in our daily lives quite reasonably exploit and encourage us all to exploit digital technology. With over 10% of all retail sales now being made online, our collective inboxes are daily inundated with order confirmations from those with whom we have placed orders, despatch advices, links to enable us to track progress of an order or delivery, and legitimate promotional emails, (to those of us who failed to confirm we did not require any marketing materials). With many of these requiring us to respond digitally in some way, it is hardly surprising that we do so in our ongoing search for enhanced convenience. And when our banks and building societies, telecoms, energy and utilities providers encourage us to ‘go paperless’ then send us emails that invite us to download our statements, advise us of the latest tariffs, or promote their latest broadband or mobile offers, no matter how often we are told not to click on links or attachments, our trusted providers reinforce our desire for convenience and the behaviour that follows.
It is by no coincidence then that scammers and cyber-criminals increasingly prey on this desire for convenience. We become ever more used to an increasing number of spam emails, ostensibly from online retailers thanking us for our recent orders and inviting us to open file attachments (typically .zip files) to find details of our order confirmations; or emails seemingly from banks and building societies promising to pay out an additional dividend if only we will respond with our secure login details. But scammers also prey on our innate curiosity by sending us emails, for example, seemingly from HM Revenue and Customs advising us we are entitled to a tax refund of £900 if only we would click on the link provided; or emails stating that ‘a friend has send you a pic’, or a parcel delivery service has unsuccessfully attempted to deliver a parcel and we can find out more by clicking on an attachment. Far from raising our suspicions, criminals know these emails are more likely to arouse our curiosity.
With invitations such as these bombarding us every day in our private lives, it is hardly surprising that we repeat the responses we would typically make at home when we use technology at work. Whatever expense has been incurred in providing the most up to date IT security, human beings continue to be the ‘weakest link’ in the chain.
So what has this to do with training and competence? It was in the eighteenth century that Benjamin Franklin, scientist, diplomat, philosopher, inventor and one of the founding fathers of the United States said ‘Tell me and I forget; teach me and I may remember; involve me and I will learn.’ Employees tend to know what to do with lists of ‘do’s’ and ‘don’ts’, process and procedure guides, standing instructions and employee handbooks that tell them what to do and what not to do; they file them away somewhere where they are rarely or never to be seen again and custom and practice around the place more often governs what they do and how they behave. Teaching employees, whether face to face or exploiting e-learning technology typically has the same effect when the content comprises those very same ‘do’s’ and ‘don’ts’, process and procedure guides and standing instructions merely presented in a more inventive format. But if Franklin was right and people learn through being involved, how can we ‘involve’ our employees in security training?
The answer surely lies in exploiting technology in very simple and cost-efficient ways. Creating very simple video clips that show the consequences of clicking on an attachment in an unsolicited email (even one that has seemingly been sent by someone we know) creates both an emotional as well as an intellectual connection for employees. Creating e-learning that presents employees with a choice as to whether or not to open such an email and which then shows them the consequences of their choice not only creates the emotional and intellectual connection but also involves them and is so more memorable.
Or firms could adopt an even simpler, even more cost-efficient approach: what stops them sending an email to their employees business email addresses that appears to come from someone they know; an email designed to arouse their curiosity whilst appealing to their desire for convenience. Along with the email might be a file attachment and the body of the email might invite recipients to open that file attachment. If the employee deletes the email without opening it, they receive an automated response congratulating them for having removed a potential threat. If they open the attachment they are confronted with an alert.
As the new year unfolds, if we are to better defend ourselves against ransomware and other cyber-attacks, we need to find inventive ways of exploiting technology in our awareness raising programmes so that we can help employees make emotional as well as intellectual connections and to involve them so that their learning is integrated into everything they do.