Herd Immunity.

Did you ever get told off for talking in class? I did. Often. 

And yet my ability to communicate now, as an adult, is one of my biggest strengths. Making friends, talking about things, bringing people together. It’s how I’ve built my career. Because you see, talking to other people is what makes us stronger, more successful. Man is not an island.

Talking is how we learn, how we improve, how we survive. If we never communicated with each other, we’d all still have an average life expectancy of 27 and be dropping dead from eating poisoned berries.

So why then, when we do phishing simulations, do we actively discourage our people from talking to each other? I’ve seen IT teams be actively pissed off when someone blows their cover and tells team mates not to click a link. Genuinely heard complaints that phishing simulations were a waste of time and they’ll have to run it again to get some proper results. And now I’m running a training business, I’m thinking ‘what the actual fuck were these guys on about?!’

would you rather be resilient or right?

We should remember that phishing simulations are a test of your company’s resilience to social engineering threats, not a test of your IT / cyber team’s capabilities in social engineering

The IT and cyber team are supposed to be on the same side. The end users we’re testing with phishing simulations are on our team. They’re not the enemy. They’re not some idiots who need to be taught a lesson. They’re your golden tickets to keeping a job. If the business can’t function cause they’ve been brought down by ransomware, then we’re all not going to be working for much longer. Protect them. Stop trying to fight them.

would you?!

Complaining when people talk about a phishing simulation within the business is the same as complaining when people talk about a real phishing email that’s come in

If you’re testing your team’s ability to identify malicious activity and then complaining when they’ve identified malicious activity, then I suggest you give your head a wobble. You should be actively encouraging people to have these discussions with each other, as that’s building the right kinds of behaviour and attitude within your team. You wouldn’t complain if someone stopped a real phishing email because the threat actor ‘lost’ the game, would you? WOULD YOU’?

herd immunity.

Allowing our people to talk to each other, work together, and discuss threats is a great way to encourage learning within a team without the need for “mandated” security awareness training. If we take the analogy of herd immunity, within any community we will have some people with greater defences than others. Some of that defence system will have come from vaccinations, or training, and some will come naturally, i.e. some people are just better than others at spotting things.

Occasionally, we might have times when individual immunity is down. If someone is having a bad day, they’re tired, they’ve been given some bad news, etc. These people need protecting, and so we should encourage our people to protect one another and work together collaboratively to defend against threats posed to the business. 

bad actors rely on bad communication.

Communication is critical across a business if we’re to defend ourselves from cyber threats. Us lot working in siloes is what bad actors rely on. They prey on our inability to spot their scams. They prey on our propensity for clicking on things that look like a good deal. Or our crappy processes when it comes to reporting and sharing information about threats. 

It’s why when we run cyber escape rooms, we actively encourage people to talk to each other. To work in teams. To share information with each other so that everyone in the team wins the game. Because if one person loses, we’re all potentially at risk. 

Millienials and Gen-Z people are the most likely to fall for a phishing scam. And with 83% of businesses who suffered an attack in 2022 stating phishing was the entry point for attackers, shouldn’t we be looking at ways to engage these people? To encourage better behaviours? To ensure they are working together, not separately, to identify threats? 

____

Interested in a cyber escape room? Of course you are! The MoD, Chelmsford City Council, and CAE Technologies can’t all be wrong about us, can they?! Click here to check out what’s on offer. Or drop an email to amy@cyberescaperoom.co to book a chat with our CEO.