Improving Cyber Awareness Training

We live in an age of increasing cyber insecurity. This past year has demonstrated that governments, businesses, and individuals alike can all be targets of cyber attacks. The severity and frequency of breaches continue to increase. At the same time, billions of dollars are being poured into state of the art network defense systems. However, the recent Kaspersky Labs hack demonstrates the need to make a shift from detection to resilience strategies that include all employees of an organization.

Kaspersky Labs, a leading cybersecurity firm based in Moscow, revealed in June they had been investigating a breach within their own system. Despite being a provider of some of the best services and technical solutions, the company’s hack was ultimately a result of human error. According to Kaspersky, the sophisticated malware called Duqu 2.0 penetrated their network defense systems through a spearphishing attack on an employee in one of the firm’s Asia-Pacific offices. The extent of the damage and the motive behind it are still unclear, but experts say that Duqu 2.0 may be one of the most complex pieces of malware yet seen.

This recent hacking of Kaspersky Labs is part of a larger pattern of attacks on cybersecurity providers, businesses, and governments. The 2011 hacking of cybersecurity firm RSA was also thought to be the result of socially engineered spearphishing attacks targeting individuals. Although these organizations employ vastly different network defense systems, they share a common weakness: humans.

Accordingly, many experts cite the need for better cyber awareness training programs. Meanwhile, opponents of cyber training campaigns argue that focusing on awareness distracts from the larger problem stemming from software design and technical controls. A Gartner study found that out of the $77 billion expected to be spent on cyber defenses this year, only $1 billion is estimated to go towards training programs.

However, these recent breaches show that no matter how high we build our walls, it takes just one human mistake for intruders to break into a secured system. Human fallibility represents the Achilles heel of strong cyber defense. For attackers, humans are ideal “soft targets” that can be easily susceptible to phishing, malware, and social engineering attacks that could compromise a sophisticated network security system. IBM’s 2014 Cyber Security Intelligence Index reports that 95 percent of all security incidents involve human error. Correcting this human error through cyber training may ultimately create a culture of information security that is necessary for cyber resilience.

Ensuring all employees understand the cyber threats and vulnerabilities is vital to creating an information security culture. A Dell and Ponemon Institute study revealed a worrisome gap in understanding of the source of cybersecurity threats within an organization’s information technology (IT) and security departments. According to the study, IT leaders view third party mistakes as the most serious cyber threat, as compared to IT staff who view web applications and negligent insiders as the most serious threat. Furthermore, non-IT personnel may not feel the need to accept cyber education because they are less likely to bear the consequences if they make a mistake. If an organization wants to establish a strong cybersecurity position, misalignments in threat understanding and shared consequences for missteps must be addressed.

Equally important to cybersecurity education is the need to include people from all levels of an organization. Often anti-phishing training, for example, is focused only on the top leadership of an organization.   The Kaspersky hack shows attackers can target any employee and still gain access to an organization’s computer networks.

In order to improve cybersecurity practices within the entirety of an organization, CISOs, IT personnel and communication leaders must partner to expand educational security awareness and increase compliance. Drastically changing poor security practices through active training or gamifying education may help promote cultural change. Sending fake phishing emails at all layers of an organization could also be used as a metric for assessing cybersecurity practices and education retention.

Cyber defenses will come from a combination of both strong network defense systems that can prevent intruders from entering as well as a resilient workforce that values information security. Many organizations already place a heavy emphasis on the physical defenses, but not nearly enough is being done to improve cyber education. Creating a strong culture of information security will likely help decrease human error and strengthen cyber defenses. Ultimately, every person in an organization must be part of the cybersecurity solution.