àËÅöÊÓƵ

In today's digital age, cyber security is a critical concern for businesses of all sizes. As a full-time employee in the cyber security field and an MSc Cyber Security student at the àËÅöÊÓƵ, I can attest that cyber security is not always given the focus it deserves. Despite years of tirelessly repeating the importance of not clicking on every link and ensuring the legitimacy of websites before logging in, social engineering attacks like phishing remain the most successful cyberattacks. But why is this the case? Where do cyber security teams make mistakes?

The simple answer is – we usually don’t. Studies show that cyber security awareness training and campaigns have a positive impact on overall security hygiene. However, people are easily distracted and manipulated. From my own experience, successful phishing attacks most often occur when people are in a hurry. Many individuals have back-to-back meetings, leaving only 5-10 minutes to go through dozens of emails, or they read emails during lunch breaks. Cyber security teams cannot change this behaviour (to be honest, successful phishing can happen to cyber security experts as well).

In cyber security, everything is about a fast response. The attack must be stopped as soon as possible, and when it comes to social engineering attacks like phishing, everything hinges on quick communication between users and the cyber security team.

Consider a scenario where you click on a malicious link, enter your credentials on a fake website, and soon after realise that it might be malicious. What would you do? This is where a positive cyber security culture comes into play. You could pretend that nothing happened and continue with your daily tasks, hoping that no one would notice, or you could contact any of the IT/Cyber security staff in your company and explain what happened. If you choose to stay silent and not report suspicious activity, it is usually out of fear. Maybe there are consequences for your actions, such as a pay cut or even the risk of getting fired. Perhaps you fear being flagged as an insider threat, which may have financial or legal implications. In any case, this indicates a negative cyber security culture within the company.

A positive security culture does not mean that there will be no consequences for your actions, but rather that employees should not fear asking questions, honestly answer cyber security team’s questions or reporting any type of security concern. Creating a positive cyber security culture requires commitment and cooperation from everyone in the organisation, from senior management to entry-level employees, who will understand the importance of cyber security and be included in every step of maintaining a cyber security culture.

What should you expect from senior management? Transparent, clear, and comprehensive documentation on cyber security matters, as well as open communication. This means you can (and should) ask about any security concerns you have, even if you think it is a ‘stupid’ question (there is no such a thing as stupid question). Open communication is a two-way street: if management is open to improvement and discussion, you are expected to be open about your actions, concerns, and suggestions too, and vice versa. By fostering an environment where employees feel comfortable reporting issues and suggesting improvements, companies can better protect themselves from cyber threats and create a more secure and efficient workplace.

If you find something unnecessarily complex, such as a multi-step login process to access company infrastructure that takes a lot of time and needs to be performed multiple times a day, feel free to discuss it with your manager as well as the security or IT manager. Remember, security should be designed for people, not the other way around.

But what if you are not aware that you've something malicious and someone from the security team approaches you about it? Don’t panic – provide any information that is requested by the security team and feel free to over deliver, i.e. give us as much information as possible. Be honest about your actions and ask for guidance on how to prevent such incidents in the future. Remember, the goal is to stay secure without many consequences for employees as well as for the company.

Finally, remember that those of us in cyber security teams appreciate your questions. Your inquiries or suggestions can save us time in the future and help maintain a transparent and positive security culture. At the end of the day, addressing your questions and concerns is part of our job.

Learn more about Mirjana’s experience studying with the àËÅöÊÓƵ, and about our MSc Cyber Security course.