In a Cyber-compromised Israel, How Do You Get Employees to Take Security Seriously?

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
Staff at Hillel Yaffe Medical center in Hadera input information by hand after the hospital was hit by a cyberattack, in October.
Staff at Hillel Yaffe Medical center in Hadera input information by hand after the hospital was hit by a cyberattack, in October.Credit: Amir Levy

It’s a challenging time for Israeli cybersecurity: In a single month, hackers broke into the accounts of Hillel Yaffe Hospital in Hadera, the databases of several financial service providers, the medical records of the Mor Institute and the account information of one of the country’s major LGBT dating sites. This is just the beginning; every day, a number of organizations find themselves victims of cyberattacks. In most of these cases, they never reach the media.

One of the takeaways from the recent spate of attacks is that businesses need to invest resources in making their employees more aware of the problem, rather than just throwing money at technological defenses.

“It doesn’t make a difference how much money you invest in technology – it will never give you 100 percent protection,” says Guy Dagan, CEO of Consienta, which specializes in cyber awareness. “At the end of the day, a single employee can make it all come crashing down.”

He offers an example: “In the Colonial petroleum pipeline hack in the United States, one employee was using the same password at home and at work. That’s all it took for the hackers to break into the network. In this case, one stolen password from another website was enough to mount a ransomware attack that cost millions of dollars and disrupted oil supplies up and down the U.S. East Coast. The human factor is the weak link in the chain of cybersecurity, both inside the company and at home,” says Dagan.

Cybersecurity professionals have racked their brains trying to figure out how to reinforce that link by raising awareness among employees. Those efforts – for instance, presentations – fail, Dagan says. “Employees don’t feel like it’s their job, that it’s not one of the metrics their performances are measured against.

Guy Dagan and Dan Chamizer.Credit: Ilan Assayag

“I’ll tell you the truth, if someone hacks into an organization and encrypts its computers, from the perspective of the majority of employees, that’s great – a day off at the beach,” he adds. Workers do not understand that they have much to gain from cybersecurity, and the field has not succeeded in rousing their interest in it.

Defense at work begins at home

Formed in 2007, Consienta conducts cybersecurity exercises for corporate managers, and according to Dagan, counts more than 100 businesses as clients.

“We’ve come to learn that the unspoken assumption inside organizations is that when a cyberattack occurs, the CEO can rely on the cybersecurity manager to tell them when the system will be up again,” says Dagan. “The fact is that when it actually happens, the cybersecurity manager doesn’t know anything. They don’t have control over the network or which backups exist, what the [hackers’] point of entry was to the enterprise. They have their hands full investigating the incident.”

As Dagan explains it: “A cyberattack isn’t a technical issue, but a managerial one. There’s the media aspect to it, for example – doctors at Hillel Yaffe who rushed to be interviewed on television. And there’s the legal angle, because even before the incident was over, four class-action lawsuits were filed.

“For each company, we tailor a specific scenario, a developing data leak exercise, in which the company is hit in the place that hurts it the most. The goal is not to deeply explore the issue, but to train managers in how to make decisions in a chaotic situation and identify problems. For example, in a publicly traded company, who decides whether to pay a ransom – management or the board?”

But the biggest challenge for a business is developing this awareness among staff members and middle management. Consienta takes two approaches to the problem. The first is to show employees how cybersecurity is their problem, too.

“If you get a ransomware virus on your work computer, so what? But if it gets into your private computer at home, someone could fool your kids online or try to steal your parents’ bank accounts – that’s already a different story. So we say, okay, if we teach the employee how to identify phishing emails at home, they’ll also be able to identify them at work.”

The second part of Consienta’s approach addresses getting participants to implement the information, which Dagan considers his area of expertise. “Every year, I put 450,000 people through a program of quizzes that brings them into the subject matter. It’s a system that I’ve developed over the last 35 years, in the army and at health care institutions, among other places.”

To do so, the company enlists television quizmaster Dan Chamizer. Consienta and Chamizer prepare a website for each client, each one with riddles attached to instructional slides. Reading the learning material helps answer the riddle.

One slide reads, for example, “How do you protect your cell phone?” There are several rules – using a strong password, disconnecting Bluetooth connections, installing applications you’ve gotten from authorized stores and avoiding working with sensitive information on public Wi-Fi networks.

The participants are challenged to answer the question by way of a rhyming riddle. In this case: “At the point of the sun, with cost to no one, of the security level you should be warned, and searching such info there should be scorned.”

To reach the finals, the participant needs to solve at least 10 out of 20 riddles. The three highest scorers get prizes, like an iPhone. “The program runs with a client company for a month, and during this time, the company talks cybersecurity,” Dagan says. “We don’t need to get 100 percent of the staff on board; it’s enough for me that a third of them get involved.”

Even if someone isn’t particularly gifted with riddles, Chamizer explains, the participant reads the informative slide several times, which is where the learning happens. As they see it, the employee should bring their whole family into the game, so that they can help – and learn – too.

Dagan and Chamizer’s original idea was that it would reach a wider audience, a national campaign under the aegis of the National Cyber Authority. Chamizer approached the head of the organization, but as he recalls it, “He was mainly interested in the question of how we got his phone number.” In any case, the project didn’t get off the ground for budgetary reasons, “so we decided to develop the concept as a tool for use inside companies.”

“I don’t think that anyone can manage without understanding the world of cybersecurity risk,” says Chamizer. “People get text messages promising them a million dollars, and they fall into the trap, not because they’re stupid, but because they aren’t familiar with the language. We think this kind of learning can really teach everyone effectively through making it into a game.”

Click the alert icon to follow topics: