We’ve got good news and bad news when it comes to fighting off costly cyberattacks.
The good news: You don’t have to sink a ton of money into technology to fend off the next scam.
The bad news: That’s because the vast majority of incidents come from human mistakes!
In fact, a full 77% of cyberattacks are caused by human failures, compared to just 23% stemming from inadequate security technology.
That’s the finding of a recent BCG analysis of 50 major data breaches.
Info like that will have you wishing you could be buying some software to keep the threats at bay.
To help keep your company from paying the price of a cyberattack, you also want to look at the psychology behind why people click those links they shouldn’t or initiate that wire transfer just because an email asked them to.
Exploiting 3 cognitive biases
Perry Carpenter of KnowBe4 explained to the folks at SC Media about five cognitive biases that lead to phishing attacks, three of which are particularly applicable in a business setting.
Hackers play upon each of the following biases to get people to do things they might even know aren’t the smartest moves:
- The Halo Effect. This is when people tend to have a positive association around a given person or business, and the crooks exploit that. Emails impersonating your bank, for example, are more likely to have folks clicking on links they shouldn’t.
- The Recency Effect. Makes sense – people tend to remember the things that happened most recently and that can lead to incorrect assumptions. So if the last suspicious email a staffer sent to IT to check turned out to be nothing, they’re much more likely to open the next attachment that comes through. They find out it’s a scam when it’s too late.
- The Authority Bias. Most people have been conditioned to do what authority figures tell them to. And that’s exactly why business email compromise (BEC) has been such a successful scam in recent years. Posing as your CEO – or even as you – will certainly get an A/P clerk to initiate a wire transfer. Wouldn’t want to ignore (or perhaps even question) the boss!
Any one of these – or all of them – could be at play when scammers approach your finance staffers.
Which means that in addition to investing in security technology you’ll also want to put the time, effort and expense into training against cyberattacks.
Making folks aware of these cognitive biases and how they play out in phishing and BEC scams is a great start.
Maximum protection from cyberattacks
And be sure this info travels beyond Finance.
For example, as Carpenter notes in “The five most popular cognitive biases that result in phishing attacks,” the Recency Effect really comes into play in IT – most security teams admit to ignoring one-third of all security alerts. The reason? They’ve gotten false positives in the past.
That’s one expensive gamble your company should not be willing to take.
Furthermore, even though your in-house IT team may be vigilant to scan for known vulnerabilities before going live with changes, how confident are you that third-party providers hold to the same high standards?
The need for regular software and hardware review extends far beyond the people who work for your company — and that means you’ll want to make your reach as broad as you can to reduce risk.