In a hypothetical phishing campaign, users who click on a malicious suggested link reach up to 45%, with a percentage which rises to 60% for those who provide their personal credentials on request. These data, collected and analyzed by Cefriel by involving 20 companies and 40,000 users, demonstrate how the human factor still represents the weak link in the chain and how staff training activities are therefore greatly necessary.
The experience of an important Italian municipality
In order to make employees aware of safety issues and to train them on how to act in the event of various types of attacks, a Municipality in northern Italy, in collaboration with Cybertech, has created an online training initiative which will involve virtually all employees.
“The particularity of the project – states Alessandro Di Luzio, Project Manager of Cybertech – lies in the fact that the concepts related to computer security are explained through storytelling and simulation, with the use of pseudo-photo stories or sketches of actual situations, for example what should be done if you receive an email asking you to send your company credentials. The answer seems simple. But if apparently the mail comes from your boss?”.
Simple cases, those which are fictionalized, but not trivial ones and ones which help to highlight how people can make mistakes or act impulsively, endangering the company or Public Administration to which they belong.
“The introduction of the GDPR in mid-2018 – comments Eugenio Nicotra, Marketing Manager of Cybertech – has spurred many Italian companies and public bodies to implement actions aimed at protecting their data and defending against cyber-attacks. These include training and educating the people who work with these data and who sometimes put security at risk by treating information in a careless and superficial manner”.
In addition to the chosen narrative mode, which has made the course accessible to everyone, the project included a very flexible delivery or line mode.
“The first experimentation phase of the project – explains Eugenio Nicotra – had the objective of collecting feedback useful to model the training sessions on the needs and perception of users. After having identified the appropriate format, during the following weeks we began sessions in all the Directorates of the Municipality in order to involve all the employees over the coming months”.
Security training and information
The training activity implemented, which includes a final test for verifying the understanding of the basic rules of IT security, will contribute to improving the overall security level of the Authority. The project combines a series of other initiatives implemented in parallel. These include, for example, Identity Access Management, for protecting municipal information systems, and Data Loss Prevention, which aims to monitor the sharing and release of sensitive documents such as calls for competitions or tenders still at the draft stage.
“Education and awareness – concludes Alessandro Di Luzio – are fundamental elements in the Cybersecurity area. Educating employees helps prevent damage related to inappropriate behavior when managing personal and business data and information”.