Due to the changing threat landscape in the world today, it’s more crucial than ever for people to have a strong foundation of understanding about cybersecurity. This goes beyond clicking “Yes” on a dialog box asking you to update security software or making sure your smartphone’s firmware is up-to-date, although those are important measure to take, because anyone could be a target of attacks large and small. And from a business perspective, having employees that are familiar with security best practices is particularly important because one compromised employee could lead to a widening crack in the company’s defenses.
However, it doesn’t suffice to just think of security awareness in terms of general employees because, as with most policies, things work best if they start at the top. The same concept applies to security because if workers see their managers and even the founders of the company making smart decisions from a security perspective, then it will behoove employees to follow that example. The idea is to create a security-first culture where instead of only focusing on day-to-day operations, you make sure you do so in a secure fashion. What does that take? Education, training, and a general awareness of what it is going on in the world around you.
Growing awareness & insider threats
Simone Petrella, Chief Cyberstrategy Officer at CyberVista, says security awareness is “becoming a more mainstream issue given the news coverage and a greater understanding that some of the most recent, notable hacks have almost all started because someone in an organization clicked on something they shouldn’t have.” In fact, the types of threats that are gaining the most ground in recent years are those that target specific individuals with phishing scams designed to trick users into believing an email, link, or other point of contact is legitimate.
But then you also have instances where a message is meant to look legitimate to a larger group of people with the hope that one of them will click it and give the hacker what they want. In these instances, it’s important for every targeted person to have an idea of what to look for in these types of emails so they can be prepared and not prompt a domino effect. “Criminal groups, in particular, have used this technique with significant success, since they don’t have to target one particular individual or organization. They can cast a wide net and, with payloads like ransomware, can collect a steady financial reward,” Petrella says.
Insiders, Petrella says, “have been and likely always will be an organization’s biggest vulnerability,” so that’s why it’s vital to start with the employees inside your organization when thinking about security measure and policies. It isn’t a matter of not trusting your employees to do the right thing, but rather giving them the tools necessary to prevent them from turning into a security liability. “As threats become more sophisticated in exploiting human trust, it becomes increasingly important for employees to exercise a ‘trust but verify’ approach, and remain vigilant in evaluating suspicious yet seemingly legitimate emails or communications they receive,” Petrella adds.
Prevalence of security training
One of the biggest issues with establishing a solid security foundation has to do with resources. For example, Petrella says, a recent study from Wombat, a security training provider, “found that 56% of company personnel have not received security awareness training.” Much of that percentage is composed of smaller businesses with fewer employees, and that number does decrease as companies get larger, but that isn’t the whole picture. It’s one thing to offer a security education program, but it’s another to offer one that truly gives employees valuable information and is cohesive enough to ensure your employee base is coming from the some place in terms of expertise.
That’s why, Petrella says, it’s troubling “how security training is implemented in companies that do have them.” These companies are obviously better off than companies that have no security training at all, but that doesn’t mean that all employees are getting access to the necessary education. “As of mid-2016, only 45% of companies that did have training programs made it mandatory for all employees,” says Petrella. “That means 55% of companies made it optional. Of that same sample set of companies, 29% said the CEO and C-suite are exempted from security training programs.”
Perhaps the most important stat from the study is that 29% of CEOs and C-suite executives are exempt from security training, because that means that those companies aren’t getting that top-down view necessary to set and enforce strong policies. You can imagine it as a pyramid where the people at the top have the least focus on security and the people at the bottom are expected to have the most focus and understanding because of all the talk about insider threats. But the structure should resemble more of a square, where every employee at every level has a strong understanding of security threats and how to avoid them.
“It is especially important to ensure executives are aware and educated about security threats for a number of reasons,” says Petrella. “They are often the biggest targets given that their names, titles, and work is easily discoverable; they typically have access to more sensitive data or information across the organization, again making them a more attractive target; and they need to evaluate those security threats in the context of how they themselves are a possible risk to the organization and also must oversee and manage controls that address risk across the entire enterprise.”Assessing your attack surface
If you need even more of a reason to start focusing on security at every level of your organization, then it’s important to look at the threat landscape and how it overlaps with what Petrella refers to as a company’s “attack surface.” She points out that every business in existence today is “reliant on technology and connected devices,” whether they actually deal in digital services or just need basic connectivity to process transactions and generally “conduct business.” It’s like the old adage of having to admit you have a problem before you can solve it. Petrella says “the most important thing for an organization is to first recognize this fact, and then to initially determine the real cyber risks to the business.” You have to look at the systems that are crucial to the operation and success of your business and decide to what degree those are vulnerable to outsider attacks.
“In almost all cases, that includes people,” says Petrella. “They make up a component of an organization’s attack surface. The question then becomes a factor of risk tolerance and how big of a risk those people pose relative to your business. If you have a business with only a couple of staff, or the majority of staff are doing labor that doesn’t involve email, web access, etc., it’s obviously a very different calculus than a large enterprise with lots of staff who are operating on systems daily.”
Bringing in a third-party provider
If your company operates in that under-100-employees threshold where you simply don’t have enough resources to have an internal security education program or your company is so large that such a program would be difficult to get started, then it makes sense to look to third-party providers that have experience in these specific areas. CyberVista is one such company, as it focuses on cyber security training with an emphasis on company executives in order to bolster the “starts at the top” mentality so they can serve as examples and pass knowledge down to employees.
“As a training and education company, CyberVista works with executives and boards to not only accelerate an understanding of the cyber security risk landscape, but to reinforce how an understanding of those risks can develop into differentiated risk mitigation strategies,” Petrella says. “We use a customizable and modular design to fit an organization’s unique profile and follow a cyber governance framework that results in framing key questions executives should be asking and what policies, programs, etc. must be implemented.”
In addition to offering services designed for company executives and board members, providers like CyberVista can also help general security practitioners who want to gain special certifications for use in the workplace. For example, one area of focus is in becoming a Certified Information Systems Security Professional (CISSP). CyberVista, in particular, offers a 12-week online training course specifically for people who want to pass their CISSP certification exam. To get an idea of how deep that type of certification training goes, CyberVista offers 2,000 practice questions, quizzes, a practice mid-term, and a final exam as part of the 12-week program.
Still, for organizations that want to beef up security awareness company-wide, it helps to opt for private training, which, Petrella says “allows companies to have a more in-depth and tailored conversation about the cyber risks that most impact their industry and more specifically their organization. In other words, education and training providers such as CyberVista can help you develop a risk profile for your organization so you can determine which vulnerabilities deserve the most attention and what you can do to protect your business at every level.
“We work with board, executive teams, and/or information security executives to customize the program and its modules, exercises, and examples to make them most relevant to the level of literacy and desired outcomes of the company,” says Petrella. “Private training also enables more candid and productive discussion in the facilitated exercises, resulting in more tangible takeaways and metrics those executives can use in overseeing and managing their specific cyber security strategies.”
From our partners at CyberTrend Magazine.