I recently had a conversation with my mother about why we should hang up on a possible scam call. I'm not the first. It's natural to wonder why scams are so effective with older generations, when best practices for dealing with scams are well known. Everyone will tell you that you shouldn't have a conversation if you get an unsolicited, suspicious call. No need to be polite; just hang up, right?
However, this is counterintuitive to how mothers raise their children. So even though her son is in the cybersecurity field, she has had conversations with him and advised him on best practices many times over the years.
Younger generations may not have the same obsession with hanging up their phones, but go through a few generations and you'll see some very strange things happening around cyber consciousness. . Millennials – the first generation to start using technology through education, albeit in a relatively limited way (think desk computers and Nokia phones), and the smartest when it comes to online maintainability. There is a trend. They are usually good with passwords and understand where online risks come from.
But then along comes the true digital natives. Research shows that Gen Z tends to be immersed in technology and is actually the least cybersecurity-secure generation. This complete lack of fear in using technology seems to be reflected in the rough-and-tumble nature of how it is used.
Meanwhile, now that we're starting to see alphas starting to form their own habits online, the pendulum seems to have swung back in the other direction. In a world now flooded with generative AI, alphas seem to be responding with an inherent distrust and mistrust of everything they see online.
The problem is that people learn differently from generation to generation and from person to person within them. Unlike OH&S or first aid, cyber awareness is not a rigid set of rules and regulations that must be strictly followed. This is a set of best practices influenced by culture and personality, so cybersecurity awareness needs to be more tailored than a textbook approach.
One of the interesting things about cybersecurity is that we all know the statistics about “human error” which accounts for almost all data breaches. The Hollywood image of a hacker typing a million words a minute on a keyboard and using his advanced coding skills to brute force his way into a network doesn't happen all that often. Rather, human error accounts for about 88% of cases, according to a Stanford University study.
So we know where the risks are, and we know that the best way to limit the risk of humans making mistakes is to inform them, but with such a large generational difference, why try a one-size-fits-all cyber awareness course?
What does customized cyber awareness look like?
Generational differences are only part of the equation. Another potential bias we all need to overcome is the idea that “human error” means “human fault.” When a cyber breach occurs because someone downloads the wrong attachment or enters a password in the wrong form, we simply assume that person is “stupid” enough to be fooled. is common.
It's like wondering why a mother would fall for a phone scam when she “knows” to just hang up.
Even the smartest people can make human errors. We recently found out about an executive whose email account had been compromised. The cybercriminal impersonated the executive and emailed someone he corresponded with in his department, saying, “I had to change my bank account details, so could you send money to that account instead of my regular account?” The amount was a significant six-figure sum. The executive only realised these payments were out of the ordinary because they occurred after three billing cycles, and between Christmas and New Year.
The moral of this fable is that cyber awareness training should not assume that human error is the result of some kind of lack of knowledge or intelligence, but instead should look at the person's situation across generations, job roles, etc. That means you need to understand. and customized to that profile.
The training course should measure the risk profile of everyone in the organisation and map this to who in the organisation has access to the ‘crown jewels’ – for example, who has the ability to pay.
All these people have to keep extra checks and balances on what they can do when making payments. It's not about getting in the way of what they have to do, it's about setting up a system that properly takes into account the risks during payments. At the same time, we provide customized training programs to help you recognize where malicious requests are coming from, specific to your role within your company.
To overcome the challenge of “human error” leading to data breaches, you must first understand the different profiles of both employees and customers within your organization. If they are involved in touching data, there is a risk that needs to be managed. Then you need to find a way to tailor the communication of that risk and training on how to avoid it to that person. There is no one size fits all and the more tailored your cyber awareness training program is, the more confident you can be that it's working.
