A CISO's Perspective - Security Education

Humans influence cybersecurity more than security policy and technology. They are a critical asset but are more prone to errors, and are considered the weakest link in security. For this exact reason, cybercriminals seek to exploit human behaviors as a conduit for cyberattack. And, they seem to be successful as the IBM study shows that 95% of cybersecurity breaches are due to human error.

According to another report, more than 90% of the cyberattack starts with the phishing emails. Targeted phishing emails are difficult to dodge and prevent. Emails in such attacks are carefully crafted to deceive and trick receivers into clicking a malicious link or opening a malicious attachment. Once open, attackers can steal login credentials, personal data, or install malware that can then be used to expand access to corporate networks to steal confidential data or perform other attacks.

Every day, threat actors develop and reinvent sophisticated, targeted, and intrusive attack techniques. They not only take advantage of weak passwords, phishing emails, and not secure access management but also use artificial intelligence and deep fakes to make such attacks more convincing and harder to detect. Consequently, massive ransomware attacks, big-game hunting, widespread data breaches, and exploitation of critical vulnerabilities are now a part of daily news headlines. Looking at the current trend, the future of cybersecurity and cyber-attack might take a different turn with the use of advanced technologies.

We need to accept the fact that no security system is 100% effective in preventing all cyber threats. However, if everyone acts responsibly, increasing the overall security and risk posture of an organization will be much easier.

Besides adding newer technology/products to the security stack, the human aspect needs more and better attention. If we work against human behavior, we will fail every single time. So, it is extremely important for the CISOs to understand the diversity of people, empower them, and implement/reinforce security awareness training to the entire organization.

Moreover, cybersecurity awareness must be adaptive and continuous to reflect the changing threat landscape. The ultimate goal is to set a security-first culture where employees change their behavior to reinforce good security practices. Security should live and breathe within every employee.

For an effective awareness program, CISOs should tie security awareness strategy with existing security program directives of the organization. In the process, they must

●?????Analyze security awareness needs, convince management to allocate adequate resources, and set strategic objectives.

●?????Develop a strategic awareness plan including

○?????target audience

○?????goals to be accomplished

○?????learning objectives, topics to cover, and deployment methods

○?????priorities based on the availability of resources, organizational impact, compliance status, project dependencies, etc.

○?????training, communication, and reinforcement plan

●?????Document and get feedback to optimize the performance of the program

The objective of a security awareness program is not just to let them know what security is and how to implement them. The goal is to instill security in their way of work strongly. For this, the security awareness program should

●?????Engage employees. Create short, engaging, and high-quality content to share anecdotes relating to cybersecurity issues in the work environment. For example, videos, posters, newsletters, simulations, and interactive quizzes to reflect real-life phishing scenarios.

●?????Employ a variety of methods. When it comes to security awareness training, there is no one-size-fits-all approach. So, employ a variety of techniques and formats to target diverse members of your target audience. For example, it could be classroom-based, computer-based, content with out-of-the-box multilingual support, simulated attacks, etc.

●?????Be updated frequently. Regularly update training materials to adapt to the constantly changing threat environment and other evolving needs. For example, some years back, ransomware operators used to just encrypt files and make ransom demands. As this attack was no longer fruitful (if companies had a backup), in late 2019, ransomware operators added double-extortion tactics in their playbook. When many of the victims didn’t pay the ransom, they added DDoS attacks as triple extortion. Now in 2021, they have upped their game with quadruple extortion, where they make direct communication with victims' customers and shareholders to put maximum pressure to pay the ransom. So, security awareness training needs to be updated to include such a change as it helps employees understand the gravity of cyberattacks.

●?????Be evaluated for effectiveness. Evaluate the effectiveness of the awareness program based upon its objectives. Use various methods such as surveys, employee feedback, targeted assessment and testing, monitor behavioral changes, etc.

At a minimum, include the following topics to ensure employees are educated to recognize and tackle advanced cyber attacks.

●?????Malware. (Trojan, Virus, Worms, Botnet, etc.) play a critical part in major security breaches, and the trend is not set to go anytime soon.

●?????Social Engineering Attacks. It is one of the most effective ways used by malicious actors to attack the targeted organization. It has always been the top attack vector and has caused technical and financial damage to businesses.

●?????Phishing Attacks. It is a prevalent form of cyberattacks, which has always been very effective and rewarding. And, cybercriminals frequently change their tactics to use targeted content as a part of their cyber operations and ramp up attacks via spam, phishing, and other malicious campaigns.

●?????Ransomware. Most of the attacks observed in 2020 and 2021 were ransomware infections. They have become more targeted than ever. These days, instead of distributing ransomware to a huge number of targets, threat actors are finding their way into a specific target. This way, they can encrypt the critical infrastructure of the targeted organization and demand a high ransom payment. So, ransomware will remain one of the most pressing concerns of cybersecurity organizations.

●?????IoT Attacks. IoT and smart home devices have become a playground and crown jewels for cybercriminals. They have been targeting IoT devices to capture banking passwords, online accounts, personally identifiable information, spy, inject malware and infect other devices, build a botnet network, etc.

●?????CryptoJacking Attacks. Cryptojacking is one of the emerging online threats which makes unauthorized use of computer resources to mine cryptocurrency. It is a lucrative option for cybercriminals.

●?????Deepfake and misinformation. Deepfake can be fake audio or video that is used with ill intentions. This is made possible by the use of advanced AI algorithms. Such approaches are used to interrupt services and operations, impersonate executives, steal money, and spread wrong information. In the days to come, deepfake and misinformation will evolve as a major cybersecurity threat to organizations and nations.

?Finally, a robust and enterprise-wide security awareness training program is the only way to ensure that people are held accountable and fully understand their security responsibilities.