Actors in the cyber security industry are fully focused on the preparations for NIS2. But if we take a step outside the innermost core and ask questions about how prepared management and industries are – then the answer will be "what NIS2?".
Several recent surveys point to a justified and widespread concern about ransomware attacks among Nordic IT managers. And as one security expert recently noted: "There is no easy patch or point solution for this, because the attackers prey on people and exploit our gullibility, such as clicking on links with malicious code."
The long-term solution to strengthen cyber security is to build an organisational security culture that makes security a concern for everyone. In our highly digitised working life, it is absolutely necessary – all users of digital services are part of the potential vulnerability, but at the same time part of the solution. And this is where phishing simulations can play an important role – if used correctly.
The problem is that many organisations – in their eagerness to keep employees vigilant – either overuse phishing simulations, or rely on repeated simulations to create awareness.
But it doesn't.
Partly for the risk of phishing simulation fatigue. That the recipients are rather dulled than alert, partly because a one-sided focus on employees' click rates makes many hesitate to both report suspected phishing emails and refrain from talking about it. Microsoft's annual Digital Defence Report found that while 89 percent refrained from clicking on malicious links in simulated phishing emails, only 13 percent reported detecting the threat. That gap is in itself a sign that we have a long way to go before we reach a security culture built on trust and openness.
We need to both act and talk about cyber security in order for awareness to spread throughout the organisation. It is not through well-formulated guidelines that we get our employees to do security. It is by talking about it. Both at board meetings and at the coffee table.
There is a lot of talk about the "constantly changing threat landscape" and in order for the human firewalls to continue to resist, it is required that we constantly challenge ourselves to be able to uncover new threat techniques.
We do this best with phishing simulations as a recurring and well-thought-out element of overall training in information security. It is an excellent tool to practically ensure that the organisation is vigilant, but where we also get the opportunity to learn from our mistakes. A first step in that learning is that we encourage our employees to share. And that requires trust. Not fear.