“I get emails from my boss asking me to pay invoices all the time. I never gave them a second thought until today”
Last week we held a workshop at Layer 8 offices. This quote was from one attendee astounded by methods used by cyber-criminals and pledging to improve their security behaviours.
I’ll talk you through how, in under 2-hours, we took people from being a cyber-security novice to changing their behaviour.
The magic ingredients
Getting attention – we started by sharing a real story of a local business who’d received a fake invoice for £32k. The lady who’d made the payment felt so guilty she’d repaid the business out of her life savings so they could meet payroll. It didn’t end well!
We tell this story because the media publishes sensational stories and big statistics, but we don’t hear about the individual lives it affects. These types of story undoubtedly have more impact when talking to a group of non-security people.
Revealing the tricks of the trade – then we get into the head of a cyber-criminal revealing how they catch us out, through pushing our emotional triggers until we’re reduced to the decision-making capacity of a 7-year-old child!!!
Playing the blackhat – once the cyber-criminal’s tricks are revealed participants work though a facilitated exercise where they become the hacker. I’ve never seen the penny drop so quickly. It’s at this point where people suddenly realise how vulnerable their processes or current behaviours are.
Becoming the defender – that realisation sets them up for the final part of the session, developing new skills to overcome those vulnerabilities in behaviours and processes. The person in the first quote who’d previously never thought about the payment request emails they get from their boss, is now going to verify through Microsoft Teams to double check before making ANY payment.
Another participant is going to start using a reputable password manager and change passwords, rather than using one for everything.
And there we have it a shift that’s been made within a 2-hour session.
How can you achieve change in 2-hours?
The session’s success relies upon two things:
1) People making a connection to the topic that’s relevant to them.
2) People developing their own strategies that work for their situation. So they can be both secure and productive in equal measure.
It could be argued that presenting a list of Do’s and Don’ts can be achieved in 20 minutes. Whilst, yes the content could be delivered, I’d ask you to consider whether it would change people’s behaviour.
About our Layer 8 Live Workshops
The workshop we ran was free of charge to local businesses in aid of Cyber Security Awareness Month and is a replica of one we run successfully at many clients. There are options for us to run these sessions exclusively for clients on premises or off premises.
What our customers say about our workshops https://layer8ltd.co.uk/workshops/