Cybersecurity Awareness: the Other Essential Aspect of Information Systems Security

If we are used to talking about solutions and innovations that raise the overall security level of information systems, the other major aspect, cybersecurity awareness, deserves to be addressed with the same importance, as it is essential in the fight against cyber attacks. Several studies show that human errors by well-intentioned employees are the main threat to the security of information systems.

Human Errors: Some Concrete Examples

Human errors, by definition natural and unavoidable, can be detrimental to the security of information systems. Raising awareness of cybersecurity can reduce the risk of these errors occurring, especially when they are caused by malicious third-parties. These malicious third-parties count on the negligence of users to achieve their goals. One example is phishing: emails that appear to be from trusted sources, inviting the user to open an infected attachment or to visit a web page that appears to be trustworthy, in order to obtain confidential information from the user.

Another example of cyberattack is the “Fake President Fraud”, which is designed to trick an employee into making a mistake. This type of fraud targets the accountants. After retrieving information about the target company, the scammer presents himself as one of its managers and contacts a person in the accounting department to ask him to make an urgent and confidential transfer to a third-party account. The scammer particularly insists on the confidentiality of this transaction so that the accountant does not refer it to other people who could potentially discover the truth.

These human errors are also sometimes the sole responsibility of employees. For example, it could be the accidental deletion of data essential to the organization, or a user sharing his credentials with some of his colleagues or even outsourcers, which would allow certain people to access applications and resources to which they do not have access rights, for example due to segregation of duties (a concept that consists of several people being required to accomplish a task in order to prevent fraud or error: for example, the person validating a payment must be different from the person making the payment).

Cybersecurity Awareness: Where to Start?

Cybersecurity awareness can take several forms, all of which complement each other to ensure a sufficiently high level of knowledge of cyber risks among all employees of an organization.

Several actions can thus be taken to promote this cybersecurity awareness:

• Create an IT charter that regulates digital uses, listing the actions to be proscribed and the best practices to follow in terms of cybersecurity.
• Organize training sessions to educate employees on good practices and give concrete examples of human errors, whether spontaneous or caused by third-parties, to illustrate the threats to the information system.
• Launch fake campaigns, for example phishing, targeting employees, because it is also by making mistakes that we learn. Thus, any person having opened the email containing the phishing codes and having clicked on the link or the falsely infected attachment would be informed of the risk that they could have incurred to their company in case of real phishing. A training session or a reminder of good practices from the IT charter can then complete this alert.

These training sessions and campaigns must be conducted on a regular basis, in order to quickly raise awareness among new employees. The IT charter must also evolve at the same pace as the evolution of threats. These awareness-raising actions thus allow users to be real actors in the security of their work environment, which increases the global level of security of information systems.