News

Gamification and Information Security in business

“This isn’t just information security, this is cyber warfare.”

– Samuel Tucker, Recruitment Consultant in Information Security and Governance, Talent

Samuel Tucker

In a world where ransomware and spyware attacks have become the norm, your information security is more at risk than ever. Why then, is it often so difficult to get executives and key people in your business onside when you ask for support for new cyber security initiatives?

We caught up with Samuel Tucker, recruitment consultant in Information Security and Governance at Talent, to find out his thoughts on how you can raise awareness of the need for information security in your company. His answer: gamification.

What is gamification?

Gamification is the process of using game mechanics and experience design to create an engaging and motivational learning experience. It has been used for years by the military and intelligence communities, but only really came about in a business context in around 2010. Recently, it’s been promoted as one of the best ways to raise awareness and engage people in cybersecurity.

For example, PwC promote a programme called Game of Threats. This pits two teams against each other (normally executives without extensive technical knowledge), one attacking and the other defending. The aim of the programme is to teach the players how cyber attacks work, so they can be more aware in the future of how to defend themselves.

Cyber article

What are the benefits of gamification?

Gamification raises awareness, both of the methods that employees can use to stop attacks and of the need to adopt wider cybersecurity measures. “The most common threats come from social engineering – attackers target non-technical employees by ringing them or sending them an email, and from there they’ll use the information they extract to get into a company’s systems,” says Samuel. “Introduce gamification, however, and suddenly non-technical people become much more aware and are therefore more resilient to these kinds of attacks and penetration attempts.”

“Many people simply don’t understand the scale of the threat they face or the consequences.”

As Samuel points out, once employees are able to put a stop to cyberattacks in their early stages, tech professionals can spend their time on more technical infrastructure attacks. “Many people simply don’t understand the scale of the threat they face or the consequences. Targeted attacks happen on a daily basis and can be ruinous for businesses that aren’t prepared,” explains Samuel. IBM reports that human error contributes to over 95 per cent of successful attacks. Meanwhile, 60 per cent of small businesses that suffer an attack are out of business within six months, according to the U.S. National Cyber Security Alliance.

WPP for instance, one of the world’s largest advertising agencies, was hit by a ransomware attack called Petya in July. WPP’s systems were offline for days, resulting in a serious loss of revenue. “Many countries are now bringing in regulations which make companies liable for data losses. In the EU, for example, soon you will be fined 4 per cent of your gross revenue if data is not secured or handled properly. It’s more important than ever that you show the people that matter how important InfoSec is. Gamification is the most engaging way to do this.”

Cyber article 2

Seeing results right away

Samuel told us about a large financial institution that regularly runs Game of Threats in their business. “They saw their awareness peak up drastically. The number of people clicking on dodgy links decreased, and a particular executive assistant who was being targeted constantly was able to start bringing attacks to the attention of their cybersecurity team. Everyone was on board, everyone understood the nature of the threat and exactly how to protect themselves.”

Gamification doesn’t have to be expensive. There are computer programmes that cost next to nothing that will engage your colleagues, while sometimes even board games can help people gain a basic understanding. If you want assistance with any kind of InfoSec project, Talent’s consulting arm, Avec, can help you.

Likewise, if you’re looking to build a cyber security team, Talent’s expert recruiting services will find you the right person for the job. For more information, get in touch with the team today.