Cyber attacks are on the rise during this year of uncertainty and chaos. Increased working from home, online shopping, and use of social platforms to stay connected and sane during this year have provided criminals with many attack avenues to exploit.
To mitigate the threat to their networks, systems and assets, many organizations perform some type of annual cybersecurity awareness education, as well as phishing simulations. Unfortunately, attackers are quick to adapt to changes while employees’ behavior changes slowly. Without a dramatic shift in how we educate employees about cybersecurity, all industries are going to see a rise in breaches and costs.
Changing the way people learn about cybersecurity
The average employee still doesn’t think about cybersecurity on a regular basis, because they haven’t been taught to “trust but verify,” but to “trust and be efficient.” But times are changing, and employees must be reminded on a daily basis and be aware that they (and the organization) are constantly under attack.
In the 1950s, there was a real push to increase industrial workplace safety. Worker safety and the number of days on a job site without an incident were made top of mind for all employees. How did they manage to force this shift? Through consistent messaging, with diverse ways of communicating, and by using daily reminders to ingrain the idea of security within the organization and change how it functioned.
Hermann Ebbinghaus, a German psychologist whose pioneering research on memory led to the discovery of forgetting and learning curves, explained that without regular reminders that keep learning in mind, we just forget even what’s important. One of the main goals of training must be to increase retention and overcome people’s natural tendency to forget information they don’t see as critical.
Paul Frankland, a neuroscientist and a senior fellow in CIFAR‘s Child & Brain Development program, and Blake Richards, a neurobiologist and an associate fellow in CIFAR’s Learning in Machines & Brains program, proposed that the real goal of memory is to optimize decision-making. “It’s important that the brain forgets irrelevant details and instead focuses on the stuff that’s going to help make decisions in the real world,” they said.
Right now, cybersecurity education is lost and forgotten in most employees’ brains. It has not become important enough to help them make better decisions in real-world situations.
A different kind of training is needed to become truly “cyber secure” – a training that keeps the idea of cybersecurity top of mind and part of the critical information retained in the brain.
Microlearning and gamification
Most organizations are used to relatively “static” training. For example: fire safety is fairly simple – everyone knows where the closest exit is and how to escape the building. Worker safety training is also very stagnant: wear a yellow safety vest and a hard hat, make sure to have steel toed shoes on a job site, etc.
The core messages for most trainings don’t evolve and change. That’s not the case with cybersecurity education and training: attacks are ever-changing, they differ based on the targeted demographic, current affairs, and the environment we are living in.
Cybersecurity education must be closely tied to the value and mission of an organization. It must also be adaptable and evolve with the changing times. Microlearning and gamification are new ways to help encourage and promote consistent cybersecurity learning. This is especially important because of the changing demographics: there are currently more millennials in the workforce than baby boomers, but the training methods have not altered dramatically in the last 30 years. Today’s employee is younger, more tech-savvy and socially connected. Modern training needs to acknowledge and utilize that.
Microlearning is the concept of learning or reviewing small chunks of information more frequently and repeating information in different formats. These variations, repetitions, and continued reminders help the user grasp and retain ideas for the long-term, instead of just memorizing them for a test and then forgetting them.
According to Eddinghaus, four weeks after a one-time training only 20 percent of the information originally learned is retained by the learner. Microlearning can change those numbers and increase retention to 80 or 90 percent.
Gamification amplifies specific game-playing elements within the training to include competition, points accumulation, leaderboards, badges, and battles. Gamification blends with microlearning by turning bite-sized chunks of learning into neurochemical triggers, releasing dopamine, endorphins, oxytocin, and serotonin. These chemicals help reduce stress and anxiety (sometimes associated with learning new material), increase „feel good sensations“ and feelings of connection.
Gamification increases the motivation to learn as well as knowledge recall by stimulating an area of the brain called the hippocampus. From a business perspective, 83% of employees who “receive gamified training feel motivated, while 61% of those who “receive non-gamified training feel bored and unproductive.”
Other reports indicate that companies who use gamification in their training have 60% higher engagement and find it enhances motivation by 50%. Combining microlearning with gamification helps create better training outcomes with more engaged, involved employees who remember and use the skills learned within the training.
The bad guys don’t stop learning and trying new things, meaning the good guys must, too.
Cybersecurity is increasingly central to the existence of an organization, but it’s fairly new, rapidly evolving, and often a source of fear and uncertainty in people. No one wants to admit their ignorance and yet, even cyber experts have a hard time keeping up with the constant changes in the industry. A highly supported microlearning program can help keep employees current and empower them with key decision-making knowledge.
80% of companies say that an increased cybersecurity risk caused by human factors has posed a challenge during the COVID-19 pandemic, particularly in times of heightened stress.
This is according to Cyberchology: The Human Element, a new report that explores the role employees and their personality play in keeping organisations safe from cyber threats. Including that:
- Cybercrime has increased by 63% since the COVID-19 lockdown was introduced
- Human error has been the biggest cybersecurity challenge during the COVID-19 pandemic, according to CISOs
- Just a quarter of businesses consider their remote working strategy effective
- 47% of people are concerned about their ability to manage stress during the coronavirus crisis
Cyberchology research investigates the attitudes of 2,000 consumers and over 100 Chief Information Security Officers in the UK, with psychological research examining the link between cybersecurity, personality, and stress in a virtual world.
The report found that 75% of companies say that half of their business is being undertaken by employees who are now working remotely – but weren’t doing so before COVID-19, showing a highly dispersed current workforce.
With CISOs reporting a 63% increase in cybercrime since the lockdown began, and remote working here to stay for many employees, businesses are more at risk than ever.
Meanwhile, the report found that over two thirds of consumers were concerned about their cybersecurity but didn’t know what to do about it, and nearly half of respondents were concerned about their ability to manage stress during the pandemic.
Stress affects different personality types in different ways, meaning that each individual employee has their own specific blind spot when it comes to cybersecurity. As the pandemic has raised stress levels, staff members may be more likely to panic and click on a malicious link, or fail to report a security breach to the IT team, depending on their personality type.
The paper therefore encourages businesses to implement a holistic cybersecurity strategy that takes individual personalities into account.
“Remote working has brought greater flexibility to the workforce, but has also dramatically altered business processes and systems. The combination of fractured IT systems, a lack of central security, the sudden shift to home working, and a global climate of stress and concern is a perfect breeding ground for a successful cyberattack. The fact that only a quarter of businesses have faith in their own remote working strategy is shocking, and shows there is much work to be done to secure working from home,” said Jake Moore, Cybersecurity Specialist, ESET.
John Hackston, Head of Thought Leadership at The Myers-Briggs Company, commented: “Cybersecurity has long been thought of as the responsibility of IT departments alone, but in order to build a holistic cybersecurity strategy that accounts for the human factor, IT and HR departments must work together. Using psychometric testing and self-awareness tools, HR can help to identify the makeup of teams and pinpoint potential vulnerabilities. IT teams can use this insight to create comprehensive security protocols and a proactive cyber strategy to stay one step ahead of potential threats.”
Despite the fact that many organizations are turning to outside cybersecurity specialists to protect their systems and data, bringing in a third-party provider remains just a piece of the security jigsaw. For some businesses, working with a technology solutions provider (TSP) creates a mindset that the problem is no longer theirs, and as a result, their role in preventing and mitigating cybersecurity risks becomes more passive.
This is an important misunderstanding, not least because it risks setting aside one of the most powerful influences on promoting outstanding cybersecurity standards: employees. Their individual and collective role in defeating cybercriminals is well understood, and mobilizing everyone to play a role in protecting systems and data remains critical, despite ongoing improvements in cybersecurity technologies. Every stakeholder in this process has a role to play in avoiding the dangers this creates, TSPs included.
Despite the increasing sophistication of cyber attacks, TSPs that invest in key foundational, standardized approaches to training put their clients in a much stronger position. In particular, helping end users to focus on phishing and social engineering attacks, access and passwords, together with device and physical security can close the loop between TSP and end users and keep cybercriminals at bay.
Access, passwords, and connection
TSPs have an important role to play in training end users about key network vulnerabilities, including access privileges, passwords, and also the network connection itself. For instance, their clients should know who has general or privileged access.
As a rule, privileged access is reserved for users who carry out administrative-level functions or have more senior roles that require access to sensitive data. Employees should be informed, therefore, what type of user they are in order to understand what they can access on the network and what they can’t.
Passwords remain a perennial challenge, and frequent reminders about the importance of unique passwords is a valuable element of TSP training and communication strategy. The well-tried approach of using at least eight characters with a combination of letters and special characters, and excluding obvious details like names and birthdays can mitigate many potential risks.
There are also a wide range of password management tools that can help individuals achieve a best practice approach – TSPs should be sharing that insight on a regular basis.
In addition, employees should be cautious about using network connections outside of their home or work. Public networks – now practically ubiquitous in availability – can expose corporate data on a personal device to real risk. It’s important to educate and encourage end users to only connect to trusted networks or secure the connection with proper VPN settings.
Social engineering and phishing
An attack that deceives a user or administrator into disclosing information is considered social engineering, and phishing is one of the most common. These are usually attempted by the cybercriminal by engaging with the victim via email or chat, with the goal to uncover sensitive information such as credit card details and passwords.
The reason they are so successful is because they appear to come from a credible source, but in many cases, there are some definitive clues that should make users/employees suspicious. These can include weblinks containing random numbers and letters, typos, communication from senior colleagues that doesn’t usually occur, or even just a sense that something feels wrong about the situation.
But despite the efforts of cybercriminals to refine their approach to social engineering, well established preventative rules have remained effective. The first is – just don’t click. End users should trust their suspicions that something might not be right, they shouldn’t click on a link or attachment or give out any sensitive information. Just as important is to inform the internal IT or the TSP.
Alerting the right person or department in a timely manner is critical in preventing a phishing scam from having company-wide repercussions. TSPs should always encourage clients to seek their help to investigate or provide next steps.
Physical and device security
Online threats aren’t the only risks that need to be included in end user training – physical security is just as important to keeping sensitive information protected. For example, almost everyone will identify with the stress caused by accidentally leaving their phone or tablet unguarded. And unfortunately, many of us know what it’s like to lose a phone or have one stolen – the first worry that usually comes to mind is about the safety of data.
The same risks apply to workplace data if a device is left unattended, lost or stolen, but there are ways to help end users minimize the risk:
1. Keep devices locked when not in use. For many smartphone users, this is an automatic setting or a good habit they have acquired, but it also needs to be applied to desktop computers and laptops, where the same approach isn’t always applied.
2. Secure physical documents. Despite the massive surge in digital document creation and sharing, many organizations still need to use physical copies of key documents. They should be locked away when not needed, particularly outside of working hours.
3. Destroy old and unwanted information. Data protection extends to shredding documents that are no longer needed, and TSPs should be including reminders about these risks as an important addendum to their training on digital security.
This also extends to the impact BYOD policies can have on network security. For TSPs, this is a critical consideration as the massive growth in personal devices connected to corporate networks significantly increases their vulnerability to attack.
BYOD users are susceptible to the same threats as company desktops and without pre-installed endpoint protection, can be even less secure. Mobile devices must, therefore, be securely connected to the corporate network and remain in the employee’s possession. Helping them to manage device security will also help TSP security teams maintain the highest levels of vigilance.
Empowering end users to guard against the most common risks might feel intangible to employers and TSPs alike, and in reality, they may never be able to measure how many attacks they have defeated. But for TSPs, employees should form a central part of their overall security service, because failing to work with them risks failing their clients.
More than 80% of global employees do not want to return to the office full-time, despite 30% employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown, a MobileIron study reveals.
The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees are increasingly using their own personal devices to access corporate data and services.
Adding to the challenges posed by the new “everywhere enterprise” – in which employees, IT infrastructures, and customers are everywhere – is the fact that employees are not prioritizing security. The study found that 33% of workers consider IT security to be a low priority.
Mobile devices and a new threat landscape
The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks. These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. The study revealed that 43% of global employees are not sure what a phishing attack is.
“Mobile devices are everywhere and have access to practically everything, yet most employees have inadequate mobile security measures in place, enabling hackers to have a heyday,” said Brian Foster, SVP Product Management, MobileIron.
“Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks. Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”
The study found that four distinct employee personas have emerged in the everywhere enterprise as a result of lockdown, and mobile devices play a more critical role than ever before in ensuring productivity.
- Typically works in financial services, professional services or the public sector.
- Ideally splits time equally between working at home and going into the office for face-to-face meetings; although this employee likes working from home, being isolated from teammates is the biggest hindrance to productivity.
- Depends on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive.
- Believes that IT security ensures productivity and enhances the usability of devices. At the same time, this employee is only somewhat aware of phishing attacks.
- Works constantly on the go using a range of mobile devices, such as tablets and phones, and often relies on public WiFi networks for work.
- Relies on remote collaboration tools and cloud suites to get work done.
- Views unreliable technology as the biggest hindrance to productivity as this individual is always on-the-go and heavily relies on mobile devices.
- Views IT security as a hindrance to productivity as it slows down the ability to get tasks done. This employee also believes IT security compromises personal privacy.
- This is the most likely persona to click on a malicious link due to a heavy reliance on mobile devices.
- Finds being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office.
- Prefers to work on a desktop computer from a fixed location than on mobile devices.
- Relies heavily on productivity suites to communicate with colleagues in and out of the office.
- Views IT security as a low priority and leaves it to the IT department to deal with. This employee is also only somewhat aware of phishing attacks.
- Works on the frontlines in industries like healthcare, logistics or retail.
- Works from fixed and specific locations, such as hospitals or retail shops; This employee can’t work remotely.
- Relies on purpose-built devices and applications, such as medical or courier devices and applications, to work. This employee is not as dependent on personal mobile devices for productivity as other personas.
- Realizes that IT security is essential to enabling productivity. This employee can’t afford to have any device or application down time, given the specialist nature of their work.
“With more employees leveraging mobile devices to stay productive and work from anywhere than ever before, organizations need adopt a zero trust security approach to ensure that only trusted devices, apps, and users can access enterprise resources,” continued Foster.
“Organizations also need to bolster their mobile threat defenses, as cybercriminals are increasingly targeting text and SMS messages, social media, productivity, and messaging apps that enable link sharing with phishing attacks.
“To prevent unauthorized access to corporate data, organizations need to provide seamless anti-phishing technical controls that go beyond corporate email, to keep users secure wherever they work, on all of the devices they use to access those resources.”
Cybersecurity threats are growing every day, be they are aimed at consumers, businesses or governments. The pandemic has shown us just how critical cybersecurity is to the successful operation of our respective economies and our individual lifestyles.
The rapid digital transformation it has forced upon us has seen us rely almost totally on the internet, ecommerce and digital communications to do everything from shopping to working and learning. It has brought into stark focus the threats we all face and the importance of cybersecurity skills at every level of society.
European Cybersecurity Month is a timely reminder that we must not become complacent and must redouble our efforts to stay safe online and bolster the cybersecurity skills base in society. This is imperative not only to manage the challenges we face today, but to ensure we can rise to the next wave of unknown, sophisticated cybersecurity threats that await us tomorrow.
Developing cybersecurity education at all levels, encouraging more of our students to embrace STEM subjects at an early age, educating consumers and the elderly on how to spot and avoid scams are critical to managing the challenge we face. The urgency and need to build our professional cybersecurity workforce is paramount to a safe and secure cyber world.
With a global skills gap of over four million, the cybersecurity professional base must grow substantially now in the UK and across mainland Europe to meet the challenge facing organisations, at the same time as we lay the groundwork to welcome the next generation into cybersecurity careers. That means a stronger focus on adult education, professional workplace training and industry-recognised certification.
At this key moment in the evolution of digital business and the changes in the way society functions day-to-day, certification plays an essential role in providing trust and confidence on knowledge and skills. Employers, government, law enforcement – whatever the function, these organisations need assurance that cybersecurity professionals have the skills, expertise and situational fluency needed to deal with current and future needs.
Certifications provide cybersecurity professionals with this important verification and validation of their training and education, ensuring organisations can be confident that current and future employees holding a given certification have an assured and consistent skillset wherever in the world they are.
The digital skills focus of European Cybersecurity Month is a reminder that there is a myriad of evolving issues that cybersecurity professionals need to be proficient in including data protection, privacy and cyber hygiene to name just a few.
However, certifications are much more than a recognised and trusted mark of achievement. They are a gateway to ensuring continuous learning and development. Maintaining a cybersecurity certification, combined with professional membership is evidence that professionals are constantly improving and developing new skills to add value to the profession and taking ownership for their careers. This new knowledge and understanding can be shared throughout an organisation to support security best practice, as well as ensuring cyber safety in our homes and communities.
Ultimately, we must remember that cybersecurity skills, education and best practice is not just a European issue, and neither is it a political issue. Rather, it is a global challenge that impacts every corner of society. Cybersecurity mindfulness needs to be woven into the DNA of everything we do, and it starts with everything we learn.
The benefits of cybersecurity awareness programs are currently the subject of broad discussion, particularly when it comes to phishing simulations. Nowadays, companies not only invest in IT security solutions, but also in the training of their employees with the goal of making them more conscious of security issues.
Already 96 percent of companies conduct security awareness trainings. This is one of the results of a study among qualified, international security experts, conducted by Lucy Security.
Security awareness covers various training measures which sensitize a company’s employees to IT security issues. The goal of these measures is to minimize the risks to IT security caused by employees.
Companies do not exploit employees’ potential
81 percent of the companies surveyed carry out phishing simulations. It is noteworthy, however, that only slightly more than half of the companies already include their employees in their security arrangements. For example, only 51 percent of the companies use a phishing alarm button.
49 percent do not use this function and thus do not exploit the full potential of their staff. The so-called “human firewall” is not activated. “The lack of use of a phishing incident button wastes a lot of protection potential and user motivation,” comments Palo Stacho, Head of Operations at Lucy Security.
In 92 percent of the companies, cybersecurity awareness has increased in recent months. 96 percent also agree that cybersecurity awareness has led to a higher level of security in their company. 98 percent are also convinced that security awareness measures make attacks by cyber criminals more difficult.
Phishing simulations strengthen trust in superiors
The measures also strengthen the confidence in the management. Almost 89 percent of the survey participants “fully”, “largely” or “rather agree” that trust in management is not called into question by phishing campaigns.
73 percent also confirm that the security awareness measures do not cause any fear among employees. In fact, the measures have the opposite effect: 95 percent of the respondents say that the phishing simulations have a positive effect on the working atmosphere. 100 percent also claim that the measures have a positive effect on their company’s error culture.
Security awareness makes companies more secure
Finally, 92 percent of the survey participants denied that the same level of IT security could be maintained in the company if the existing funds and resources were invested exclusively in technical security measures, such as firewalls and virus scanners.
“At Lucy Security, internal analyses have shown that correctly implemented awareness programs make a company up to ten times more secure,” says Palo Stacho. “But the benefits of cybersecurity awareness go far beyond fewer security incidents and better trained employees. The trainings and increased attention to IT security also have a positive effect on the corporate culture.”
New research has found that 42% of organizations are taking disciplinary action against staff who make cybersecurity errors. To examine the prevalence of punishment in businesses and the impact of this on staff, a team of researchers led by Dr John Blythe, Head of Behavioral Science at CybSafe, conducted a survey of cybersecurity awareness professionals as well as an experimental lab study, designed to mimic real-world outcomes when employees click simulated phishing emails. The survey … More
The post 4 in 10 organizations punish staff for cybersecurity errors appeared first on Help Net Security.
“Great security awareness training, that is part of a healthy cyber security culture and that is aimed at encouraging positive security behaviours, is essential. The problem is that awareness-raising training has a history of being dry, dull, technically-focused and ineffective,” Dr. Jessica Barker, Co-CEO of Cygenta, told us in a recent interview.
In order to select the right security awareness solution for your business, you need to think about a number of factors. We’ve talked to several industry professionals to get their insight on the topic.
David Lannin, CTO, Sapphire
Engaging positively with your audience is critical in the success of any security awareness solution. Every individual is different, each having their preferences of learning style, content and pace. The solution you consider should be able to adapt to this, having rich and varied content suited to the right users and groups across your business.
Do not lose sight at how diverse an audience can be and where their areas of expertise lie. Educating a purchasing team on handling financial information online is appropriate, but a generic warning about password usage may be less useful to the security teams.
Test your employee’s awareness and measure their improvement. This provides a full HR/audit trail, and publishing these results over time keeps staff engaged, showing changes in how effective security awareness training has been. Identifying individuals that are more phish-prone helps focus targeted training for those individuals – a weak link in your cyber defenses. Tailored training based on understanding ensures that those who demonstrate an understanding earlier in the process can be exempt from further training.
Ensure that the results are tangible. Be able to demonstrate the security awareness solution is effective and improving the overall security posture of the business.
Lise Lapointe, CEO, Terranova Security
The right security awareness training solution will drive long-term behavioral change among employees to create a cultural of security awareness.
There are five key components that must be in place to accomplish this:
- High quality content: Security training cannot effectively be approached as a “one-size-fits-all”. Different format and length in content promotes better participation and retention rates.
- Intuitive phishing simulator: Out-of-the-box phishing scenarios that reflect real-life cyber threats integrated with training for feedback.
- Multilingual content and platform: Out-of-the-box language support for global security awareness programs.
- Communication and reinforcement materials: Large libraries of predesigned content and templates for internal campaign promotion and content reinforcement including videos, posters and newsletters.
- Consultative approach: Security training that this is tied to the businesses needs with offerings including: CISO coaching, managed services and content customization.
By choosing the right security awareness training solution, businesses can develop customized, multi-language campaigns that are engaging and informative – and most importantly, successful.
Michael Madon, SVP & GM Security Awareness and Threat Intelligence Products, Mimecast
Human error poses one of the biggest risks to any organization. Yet, many organizations are conducting cyber awareness training quarterly or even less frequent – which is simply not enough. Mimecast recently surveyed 1,025 IT decision makers and found that 21% of respondents offer training on a monthly basis – a timeframe experts consider the gold standard.
The goal of any security awareness program should be to change employee’s perception of cybersecurity – helping them understand that it is not an inconvenience, but something that can help them be more effective in their jobs. But, effectively educating employees on email and web security cannot be achieved through one-off training sessions or siloed events that involve non-interactive materials like sterile corporate videos and mass-produced pamphlets.
When identifying a security awareness solution, organizations should look for the following:
- Humor – Not many people absorb information when it’s given in a format that is stale and boring. Humor captures people’s attention and is the best way to engage. Look for a solution that includes humor to communicate important information in a highly relatable way.
- Short and frequent content – Offering a regular cadence of concise trainings is a great way to ingrain cybersecurity best practices into employees’ day-to-day activities. Training sessions should be delivered monthly and be only 5 minutes or less.
- Risk scoring – Risk scoring capabilities can help identify employees who are most at risk for attack and can help focus increased time and resources on specific individuals.
Lance Spitzner, Certified Instructor, SANS Institute
Security awareness is ultimately a control to help ensure your organization is not only compliant, but you are effectively managing and measuring your human risk. As such, you need a solution that was developed by experts who understand risk and know both what risks and which behaviors to focus on.
These decisions should be driven by data based on today’s latest threats, technologies and incident drivers. If you are focusing on the wrong behaviors, not only are you wasting your organizations time but could be actually increasing the risk to your organization, such as requiring people to regularly change their passwords.
Other key factors include how often the content is updated and how people will relate to it. As technology, threats and organizations change so do risks. Your training should reflect that change. The other element is ensuring the training is a good fit for your organization and your culture. For example, if you have an outgoing organization that loves humor, then use humorous training. But if you have a large, diverse or more conservative organization, you will want training that adapts well to that environment.
Inge Wetzer, Social Psychologist Cybersecurity & Compliance, Secura
First of all; go one step back! Ask yourself the question: what exactly do you want to achieve? Looking for an awareness solution implies that your goal would be that all your employees are aware of the security risks and that they know what they should do. Your focus is: knowledge. However, a gap exists between knowing what you should do and actual behavior. Many people are aware that they should actually lock their computer screens, but many people still don’t behave accordingly.
Would you be happy if all employees in your organization pass an awareness test? What does this tell you about their actual behavior? So, you may not be looking for a security awareness solution, but for a security behavior solution?
Psychology teaches us that behavior is defined by more than knowledge: our actions are also driven by personal factors such as our motivation and past experience. In addition, organizational factors such as context and culture also define behavior. For effective behavioral change, all aspects of behavior should be addressed. Moreover, the attention to these factors should be recurrent to keep the topic top of mind. So, look for a continuous program that focuses on safe behavior as end goal by paying attention to its three determinants: knowledge, personal factors and organizational factors.
(ISC)2, the world’s largest nonprofit membership association of certified cybersecurity professionals – announced that it has signed a Memorandum of Understanding with the Australian Security Industry Association Limited (ASIAL) that will strive for the advancement of the information security profession in Australia.
In addition to promoting the importance of having qualified and certified physical security and information security professionals, both organisations agree that physical and electronic security systems and information security systems are converging, and both these aspects of security are vital to the other.
As part of the agreement, ASIAL recognises (ISC)2 certifications including the SSCP, CISSP and CSSLP as being measures of experience and knowledge related to information security. In turn, (ISC)2 will promote ASIAL as a peak body for physical and electronic security in Australia and will support ASIAL in promoting the message of a safer and more secure cyber world.
The recently published 2019 (ISC)2 Cybersecurity Workforce Study indicates that the current cybersecurity workforce shortage in Australia requires an increase of approximately 45,000 skilled staff. In order to advance the cause of the cybersecurity profession and attract more talent, (ISC)2 and ASIAL will help facilitate access to each other’s initiatives to provide additional insights and value to members of both organisations.
“Increasingly, electronic security measures are reliant on effective cybersecurity controls to protect people, business and society,” said Clayton Jones, managing director for Asia-Pacific, (ISC)2. “Our agreement with ASIAL recognises and reinforces the enormous risk that both physical and virtual threats pose and seeks to address them in order to promote a safer and more secure world.”
Recognising the committed efforts ASIAL has put forward to improve cybersecurity awareness across Australia, (ISC)2 will promote the availability of ASIAL digital content and studies to its Australian members.
“The convergence of physical, electronic and cybersecurity brings with it huge challenges and opportunities,” said Bryan de Caires, CEO, ASIAL. “Succeeding in this new environment requires new skills and mindsets. ASIAL’s partnership with (ISC)2 seeks to ensure that members have access to the professional skills needed to thrive in the digital age.”
Dr. Jessica Barker, Co-CEO of Cygenta, follows her passion of positively influencing cybersecurity awareness, behaviours and culture in organisations around the world.
Dr. Barker will be speaking about the psychology of fear and cybersecurity at RSA Conference 2020, and in this interview she discusses the human nature of cybersecurity.
What are some of the most important things you’ve learned over time when it comes to security culture? How important is it and why?
A positive and robust security culture is absolutely fundamental to the overall security maturity of an organisation. An organisation’s culture sets the tone for what is normal and accepted; it’s not what is written in a policy, it is what influences how people actually behave. From a security point of view, this is absolutely crucial and extremely influential.
Different cultures will influence whether people do what they should when it comes to security, for example a culture in which leadership demonstrate a strong commitment to, and respect for, security is much more likely to result in positive security behaviours than one in which leadership are dismissive of security.
The phenomenon of social proof, in which people model their behaviour on how others act (especially those in positions of authority or those they particularly admire), means that the role of leadership in security culture is vital. People in an organisation look to those in leadership to see how they should behave.
If leaders are seen to follow security policies and good practices, such as wearing identity badges and challenging tailgating, then others throughout the organisation are more likely to follow suit. A culture of fear in an organisation is very destructive. If people feel they are going to be blamed for clicking a link in an email they then suspect was phishing, for example, they are less likely to report such incidents when they happen. A culture of fear does not reduce the number of incidents, it just drives them underground and reduces the likelihood of people reporting those incidents.
When someone mentions security awareness training, there’s always a big split – some say it’s essential, others claim it’s a waste of money. What’s your take on this? Does it depend on the type of training?
Great security awareness training, that is part of a healthy cyber security culture and that is aimed at encouraging positive security behaviours, is essential. The problem is that awareness-raising training has a history of being dry, dull, technically-focused and ineffective. That is not engaging and not only will such awareness-raising fail to make a positive difference, it is actually likely to have a negative impact. Too often training has been designed by people with technical expertise who may know what they want to say, but not how best to deliver it or indeed what messaging is going to be most relevant and effective for the people they are communicating with.
For awareness training to be effective, it needs to be relevant to the people it is aimed at, it needs to be engaging, interesting and it needs to feel useful. Talking with people about security in their personal lives, for example, can be really powerful because it is something that everyone can relate to and when people engage with the content in relation to their home lives, they absorb it in terms of their working lives, too.
Awareness-raising that feels like an experience, for example a table top exercise or a live demonstration of a hack, is memorable and fun – people go away from experiences telling their colleagues, friends and family about them, which has a positive ripple effect. Using emotion in a constructive way is really powerful, for example by telling stories. I say “constructive” because it is most important that awareness-raising is empowering, and this is something that is overlooked way too often.
Eliciting fear has been one of the most used marketing strategies in the cybersecurity industry since its inception. Can scaring employees actually make an organization more secure?
Using fear, uncertainty and doubt (FUD) is generally a classic example of awareness-raising that engages with emotion in a destructive way. When we deliver cyber security awareness, we are often talking about the threats, which inevitably will scare a lot of people, so we need to be really responsible in how we do that.
Unfortunately, people often use fear as a blunt instrument, without an understanding of the affect it has. For years, sociologists and psychologists have been studying fear, and what happens when we talk about something scary as a means of promoting behavioural change. My keynote at RSA Conference 2020 will cover some of this work and the lessons we can learn in cyber security.
What’s your take on how many CISOs prefer to spend money on technology instead of educating employees. Can they really solve their security problems with tech purchases?
It’s been encouraging to see, in recent years, that more and more CISOs and security teams understand that security can’t be solved with technology alone. I understand the tendency to want to “fix” security with a piece of shiny kit, because if that worked it would be simple and very comforting. Unfortunately, security is not simply about technology, it’s about how people engage with technology, and for this we need to focus on people at least as much as we focus on tech.
What are the biggest misconceptions about security culture and what can security leaders do in order to make sure their employees are more security conscious?
One of the biggest misconceptions about security culture is the belief that it can’t be measured and tracked, in the way that other elements of security are. This is something I have been working on for my whole career in security: there are very effective ways to measure security culture and there are lots of metrics you can use to check progress. More so, it’s really important that leaders put these in place. When awareness-raising is not part of a strategy and there are no metrics to see if it is having the desired impact, it is usually not very effective. How can you know if something is working if you don’t have any ways of measuring success?
Despite heading a company that provides a technological solution for stopping targeted email attacks, Evan Reiser, CEO of Abnormal Security, knows that technology is not the complete answer to the malicious email problem.
At the same time, security awareness and anti-phishing training is also not a foolproof solution, he maintains.
“Some businesses are giving up on technology and defaulting to an awareness-based security program for detecting email attacks, but that sets them up for failure. Our brains are wired to look for patterns and repeat processes, so for something that we do daily like email, it’s only a matter of time before an employee accidentally clicks a link from a ‘trusted’ company,” he told Help Net Security.
Forcing employees to dedicate a good chunk of each working day to evaluating emails for signs that it might have been sent by a bad actor is not good for business and not good for the employees, he opined: companies must marry training and technology together to build a comprehensive approach to protecting against email-based attacks.
Building a robust awareness training strategy
“There have been massive strides in the industry regarding training and awareness. There are a lot of great organizations that will provide security training as a service. These offerings teach employees to look for tell-tale clues such as emails from unknown senders, spelling errors, bad links, and inconsistent email addresses,” Reiser noted.
“However, I don’t think organizations fully realize how sophisticated attackers are. They are using information from social media, company websites, and other email communications to mimic people you trust, like bosses, colleagues or vendors. We’re not falling for emails from a Nigerian prince asking for money anymore.”
Even the most security-savvy employees can fall for some of these sophisticated tricks, and some may be too embarrassed to tell anyone about it or flag their failure quickly enough to prevent a (relative) catastrophe.
For many employees and in many organizations, falling for an email attack still carries a stigma, but companies should work on minimizing it, as well on sharing the lessons learned.
“It’s not about pointing fingers, but about creating a level of honesty and information sharing. Companies and executives need to move beyond exercises and share insights with employees about what they see in the industry, inside their own company, and how employees have been targeted and fooled,” he advised.
Collaboration and learning leads to better security for all
Reiser was interested in technology since forever, but only recently focused on cybersecurity – more specifically, on creating a more accurate solution for spotting malicious emails, especially if they are sent from legitimate but compromised accounts.
After getting a BS in computer systems engineering and a job in web development, he quickly found himself transitioning away from the corporate setting and into the world of startups.
His first company, an online-to-offline advertising platform that used behavioral profiling to direct offline purchasing through online ads, was sold to JP Morgan in 2010.
“With that experience, I built a new business that applied machine learning to advertising technology. That company was acquired by TellApart – and later by Twitter – where we worked on large-scale behavioral modeling, distributed machine learning and data privacy, security, and strategy,” he says.
He then realized that the same behavioral modeling technology that they used at TellApart and Twitter could have exciting cybersecurity applications – and this is how Abnormal Security came to be.
In this day and age, companies can’t do business without using email, but phishing and scam emails and business email compromise (BEC) incidents are a daily occurrence. Even the biggest and the most tech-savvy corporations aren’t immune to being victimized, and this means there’s a healthy demand for more effective solutions.
“The way I view it is that we’re partners and teammates with our customers,” Reiser explains. The ultimate goal is to get customers as secure as possible, he noted, but they are not under the illusion that the defenses they build last forever. “Bad actors will always come up with new ways to attack, and that’s why we need to learn together to build the best possible security posture.”
There are lots of articles about there telling people how to better secure their computers and online accounts. While I agree with some of it, this article contains some particularly bad advice:
1. Never, ever, ever use public (unsecured) Wi-Fi such as the Wi-Fi in a café, hotel or airport. To remain anonymous and secure on the Internet, invest in a Virtual Private Network account, but remember, the bad guys are very smart, so by the time this column runs, they may have figured out a way to hack into a VPN.
I get that unsecured Wi-Fi is a risk, but does anyone actually follow this advice? I think twice about accessing my online bank account from a pubic Wi-Fi network, and I do use a VPN regularly. But I can’t imagine offering this as advice to the general public.
2. If you or someone you know is 18 or older, you need to create a Social Security online account. Today! Go to www.SSA.gov.
This is actually good advice. Brian Krebs calls it planting a flag, and it’s basically claiming your own identity before some fraudster does it for you. But why limit it to the Social Security Administration? Do it for the IRS and the USPS. And while you’re at it, do it for your mobile phone provider and your Internet service provider.
3. Add multifactor verifications to ALL online accounts offering this additional layer of protection, including mobile and cable accounts. (Note: Have the codes sent to your email, as SIM card “swapping” is becoming a huge, and thus far unstoppable, security problem.)
Yes. Two-factor authentication is important, and I use it on some of my more important online accounts. But I don’t have it installed on everything. And I’m not sure why having the codes sent to your e-mail helps defend against SIM-card swapping; I’m sure you get your e-mail on your phone like everyone else. (Here’s some better advice about that.)
4. Create hard-to-crack 12-character passwords. NOT your mother’s maiden name, not the last four digits of your Social Security number, not your birthday and not your address. Whenever possible, use a “pass-phrase” as your answer to account security questions such as “Youllneverguessmybrotherinlawsmiddlename.”
5. Avoid the temptation to use the same user name and password for every account. Whenever possible, change your passwords every six months.
6. To prevent “new account fraud” (i.e., someone trying to open an account using your date of birth and Social Security number), place a security freeze on all three national credit bureaus (Equifax, Experian and TransUnion). There is no charge for this service.
I am a fan of security freezes.
7. Never plug your devices (mobile phone, tablet and/or laptop) into an electrical outlet in an airport. Doing so will make you more susceptible to being hacked. Instead, travel with an external battery charger to keep your devices charged.