Back to blog

Awareness: the first step to tackling the ‘people’ problem in security

by AprilSix Proof

Proof was in Leeds last week for CompTIA’s UK Channel Community Meeting. These meetings bring together leaders from the UK IT sector to discuss and learn more about industry challenges, and collaborate to tackle them. This event was focused exclusively around cyber security – the risks it poses, and the opportunities it creates.

It will be a surprise to no one that the security landscape is becoming increasingly challenging. As every field of life and every sector of business becomes reliant on technology, they also become more susceptible to technological attacks. David Emm from Kaspersky Lab shed light on this at the event with some startling data showing that whilst in 2006 there was one new virus every minute, there are now 310,000 new samples every day. That’s over 200 times more than 10 years ago!

No longer the remit of the IT department alone, security is now everyone’s responsibility. The biggest risk factor remains employees – after all, people are a lot easier to target than organisations. In 2015 alone, Kaspersky foiled 2 million attacks on individuals.

Social engineer, Jenny Radcliffe explained at the event how every person is prone to fear, greed and curiosity – all factors that criminals can use to manipulate someone. What’s more, in this day and age, it is easier than ever to gather reams of information on a person (such as date of birth, home address and logins) from a quick internet search.

This data might seem innocuous, but it can be used to draw conclusions that allow criminals to successfully hack into email accounts, social accounts and even bank accounts. It can also provide data that helps criminals target people’s employers: hidden within our posts and profiles is information on our work routines, work addresses and hours – even the layouts of our workplaces. All of this can be used to inform criminals on the most efficient way to target an organisation.

Businesses can spend thousands on advanced security systems but forget that human behaviour is key. One wrong click on an email attachment can spell disaster. One such example is the Carbanak cyber heist of a bank. The cybergang began with a spearphishing email which, when an employee opened it, allowed them initial access. They then used webcams, keyboard monitoring and email monitoring to indentify the pertinent employees within the bank and then mimicked their behaviour to steal $1 billion whilst avoiding immediate detection.

It’s not all doom and gloom, however. Things can be done to mitigate the human risk and better communication is key. We need to communicate the risks of not implementing security measures to business owners, and the impact that could have on business operations and their reputation. Only then will it be a priority, and only then will we see greater resilience to attacks across the board.

Perhaps more importantly, we also need to educate employees on how they can help avoid security breaches across the board, whether that’s the managing director or the cleaner. Everyone who has access to technology is a potential way in for criminals.

Creating basic awareness is long overdue, and a necessity to fighting increasingly informed and advanced attacks. If that bank employee had known not to click on that spearphishing email – $1billion may never have been stolen. Media can play an enormous part in raising awareness. It’s been great to see that consumer-facing media are beginning to bring the issue into the public consciousness, and that companies are investing in communications to get the message out there. We will undoubtedly see an improvement in cyber behaviour as a result.

If you have any questions about my blog, get in touch at