Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

October 19, 2021

Why cybersecurity training needs to evolve

Photo | Pixabay
By Zachary Comeau

Remote work – which is quickly morphing into a hybrid work environment – is likely here to stay in some capacity as companies and their employees have grown to like the flexibility of being able to work anywhere.

This kind of working environment is not going anywhere, but neither are the cyberattacks that attempt to exploit a distributed workforce and seize on the weakest links of any organization’s IT infrastructure: its employees.

According to a recent Forrester study, 74% of organizations that have suffered a business-impacting cyberattack attribute it to a remote work vulnerability, and 80% of security and business leaders said they are more exposed because of remote work.

IT and cybersecurity professionals are now tasked with implementing new protocols and tools to enhance the security of their employees and data, regardless of where they are. However, an organization’s technologists can only do so much, cybersecurity experts say.

“The biggest risk factor in any business is the people factor,” said Sammy De La O, director of quality and compliance at IT Direct, a Hartford-based subsidiary of nationwide IT service provider CompassMSP.

Hackers and cybercriminals are smart and tend to go after the low-hanging fruit and the path of least resistance. In other words, they would much rather compromise the business accounts of a company’s employees than spend countless hours looking for vulnerabilities in software to exploit.

According to a 2021 report from IT giant Cisco, phishing attacks – in which a hacker sends an email or other message designed to convince a user to click on a link or enter credentials – account for 90% of data breaches.

And a July study from cybersecurity firm Trend Micro found that the three most commonly occurring types of security incidents are business email compromise where a lower-level employee was tricked (53%), phishing messages that resulted in malware (49%) and phishing messages that result in account compromise (47%).

“They're trying to hit up end users,” De La O said. “They're trying to utilize email or malicious links and that sort of thing to try to get into their companies through the people factor.”

Why training needs to evolve in the hybrid work era

Phishing attacks aside, employees are now working out of their homes or other remote locations in environments that are inherently unsecure, including the home network or public Wi-Fi.

However, many companies have not adopted remote work or hybrid work policies that account for those vulnerabilities that are largely out of their control, De La O says.

According to the same Trend Micro study, the most effective phishing mitigation was multi-factor authentication at 74%, but training and awareness was close behind with 62% of respondents agreeing.

However, according to a 2021 SANS Institute study, over 80% of security awareness professionals spend half or less than half of their time on awareness, which suggests that not enough time is spent on spreading awareness of cyber threats.

“In general, it’s just to check the box,” said Guy Citarella, founder and CEO of Hartford-based IT services provider Commprise.

According to Citarella, the historical approach of watching a short video and taking a short multiple choice test online is no longer the baseline. Cybersecurity training should not be lumped in with other mandatory trainings, he said.

“There’s a much higher risk with cybersecurity stuff now,” he said. “If you’re not engaging with it and you’re not getting through to people on cybersecurity training, it’s a higher risk than if they aren’t trained on another business process.”

“There are organization-wide consequences,” Citarella said.

Engage employees with practical, hands-on training

However, the majority of end users are, in fact, not technology or cybersecurity experts, and any organization’s training should not try to change that. Instead, the goal should be to make employees aware of the threats that exist.

Now, simulated phishing attacks are becoming the standard cybersecurity training approach and a unique way to engage employees and gamify the training.

In this scenario, an IT professional sends simulated phishing attacks to employees and shares the details with the company to identify which employees need more training or education.

According to Citarella, the tests can show who read the email, who opened attachments, who engaged with the form and who entered their information.

“The idea is to run it unknowingly against an organization you know, a company and then go back later do the training and then run another random test and then see how the differences and how effective the training was,” he said.

De La O’s firm, which like Citarella’s company provides outsourced IT services to companies, takes a novel approach to this kind of training: they drop off USB keys in the parking lot or public areas within customer buildings that are loaded with software that will notify them if someone at the company plugs a key into a computer.

That, of course, is a major cybersecurity concern and about as dangerous as clicking a suspicious link or downloading an attachment from a strange email address.

Those USB keys can be loaded with malware that copy an organization's data, capture account credentials and send them to a third party.

“These are some of the more practical things that we can train people on and make them aware,” De La O said.

Organizations should look for ways to gamify their cybersecurity training, but they also need to take a better approach when it comes to awareness for their employees.

All it takes is one employee to click on a malicious link for an entire company to be compromised, which makes training and awareness critical in the hybrid work era, De La O says.

“It doesn’t matter what industry you’re in or what business you’re in – technology is everywhere,” De La O said. “It’s a critical system that any business needs, so knowing how to use computers and how to look for the potential threats that may be coming in is important.”

Awareness of the cyber threats is just as important

Thanks to a massive uptick in ransomware and several large-scale nation-state compromises of widely used IT tools, cybersecurity has dominated news headlines in recent months, dating back to December 2019 when it was discovered that an alleged Russia-backed group leveraged IT management software to spy on U.S. agencies.

Although that attack was highly targeted at the highest levels of U.S. government, the defense industry and other mission-critical organizations, being aware of the proliferation of cybercrime can help boost an organization’s security posture. Sharing news headlines can help people understand that the risk is very real, De La O said.

“I think it’s important because if people don’t see it happening or they don’t see the need or risk, then it’s harder for them to buy into it,” he said.

De La O referenced a popular IT internet meme that shows the differences in an organization’s cybersecurity budget before an incident and after an incident, with the post-attack budget skyrocketing.

“If we really want to be proactive, it’s better to bet these actual use cases out there,” he said. “The best-case scenario is that you never have a security incident because you prevented it through good cybersecurity practices.”

Sign up for Enews

Most Recent

Most Recent

0 Comments

Order a PDF