Companies have a number of options open to them when it comes to training staff in cybersecurity. That’s good, because attacks are on the rise.
“The most disruptive cyber risks will be in relation to ransomware, intellectual property theft or access, systems for commercial gains, data breaches and broader data integrity threats. We have noticed that disruptive ransomware attacks have continued to grow this year,” says Dani Michaux, head of cybersecurity at KPMG.
In addition, the use of generative AI to craft more sophisticated and quicker, larger-scale attacks is on the rise.
“We also continue to observe the evolution of emerging technologies such as blockchain, biometrics, industry 4.0 and hyperconnected systems and virtual reality, just to name just a few. We do note that all of these can pose new security, privacy and ethical challenges and raise fundamental questions about our trust in digital systems.”
It’s a lot for any organisation to cope with, as is navigating an array of technologies to defend themselves, including detection and response solutions, multifactor authentication and geo-blocking, zero trust solutions and immutable backups, to name but a few.
“We often see a lot of good technical capabilities deployed, however often they are either not well utilised within the organisation or quite poorly integrated with the broader stack of solutions making them far less effective in real terms,” says Michaux.
For most organisations, staff represent the first and last line of defence, which is why cyber awareness training is vital.
“Human firewalling and the human factor is the key focus of security programmes. This should not just be taken as a generic compliance exercise but should focus on appreciation of the fact that threat actors do target individuals within the organisation, who can prove to be the entry point into the environment, sometimes unknowingly and sometimes having full knowledge of the fact,” she points out.
“Sometimes it’s that simple click on a simple or sophisticated email, whether it’s because it looks extremely legitimate or other times because the person feels under stress to complete a task and becomes less vigilant. So in essence, the bad guys typically need one click and get it right one time to begin their activities. That one human error sometimes proves extremely costly to an organisation,” she adds.
Cybercriminals target individuals in various ways, including through social media, broader online profiles, or research around activities, often correlating information from different companies and systems. “We often see them spending time profiling individuals, including even their style of writing and other relevant ‘soft’ information, which is helpful in the attack execution phase,” says Michaux.
Typical suspects in the target list include executives, finance teams, HR teams, marketing teams, sales and accounts or regional teams. “Typically, it’s because the person’s role either has great outreach to others, or they handle large volumes of data, and or they can approve various financial or vendor or personal details changes. So it comes down to what a person has access to and how helpful this could be at a later stage of the attack,” she explains.
Hygiene factors
The breadth of possible candidates is why cybersecurity awareness training must be organisation wide.
It must also be clear. “It’s about making it as simple as possible — why does cybersecurity matter to you in your role?” she says.
“I like focusing on the basic hygiene factors and making them simple so people have them as a mantra every day they come to work or even at home with their families. The more complex and lengthy basic rules are the more likely it is for people not to follow them. Make the rules clear, make them known, and repeat the good practical examples of easy goals or rules being achieved.”
After that, consider advanced training. “When we speak about cyber training I’m sure everyone imagines black hats and hoodies in a room aiming to bring down organisations. While these technical training sessions are great, I find simulations, where we train both the defenders and response teams of organisations to be equally as important.”
She is also seeing a lot more resilience and crisis management simulation training, where scenarios are played at different levels of complexity, to help train the ability of mid, senior and executive management, as well as boards, to deal with large-scale cyber breaches.
“It starts with really advanced skills training of individuals within the technical teams, but it evolves to the executive and board to ultimately train everyone within the organisation in terms of resilience,” she says.
A cyber attack can be too difficult to overcome if everyone isn’t up to speed with what’s required of them.
“After the first 48-hour window cyber attacks become a major business issue, and in some cases can become an existential threat to the business. It’s about becoming a more resilient business, which can adapt and deal with uncertain situations, including ever-growing cyber attacks,” she explains.
Annual cyber drills and simulation exercises with external observers are a great way to measure the improvements and ensure new lessons are learned. “Remember nothing remains the same. As the threats evolve so does the business itself, so your focus needs to be on continuous training and embedding cybersecurity training as part of the organisation culture,” says Michaux.
Digital transition
There is help at hand. MentorsWork, an initiative of the Small Firms Association (SFA) that is open to all businesses and not just SFA members, provides training for businesses making a digital transition, including modules on cybersecurity.
Each year in October it participates in European Cyber Security month, which enables it to pass on current thinking and best practice. Another resource is FraudSmsart, a Banking & Payments Federation Ireland initiative that keeps organisations up to date about the latest threats.
Skillnet, the workforce development agency, includes cyber-security training as part of a number of its learning networks, which can be accessed by companies on the basis of sector or region.
It works with a number of network partners that engage across all business sectors and cyber threats, says Mark Jordan, its chief strategy officer, who says the agency has seen a rise in demand for cyber awareness training at all levels.
Part of this is driven by the number of businesses that pivoted to online almost overnight during the pandemic but are only now getting to the grips with the cyber risk that comes with that.
Skillnet Ireland cyber-security training runs all the way from short programmes around general data management and establishing an effective firewall, to a fully accredited master’s degree programme in cybersecurity, run by the Technology Ireland ICT Skillnet.
“Organisations may be pleasantly surprised by the appetite of their employees to continue their cybersecurity training into more advanced forms, beyond that of mandatory annual training programmes,” suggests James Baldwin, head of enterprise architecture and cybersecurity, PepsiCo Ireland.
“There is a mutual benefit for both the organisation and the individual in not only becoming more aware, but also being able to help others. Advanced training can offer deep-dive sessions on threats and techniques, tailored training to particular groups, such as IT, finance or HR, interactive sessions and recognised certification,” he points out.
Business functions
Creating sustained communities within business functions, such as cyber advocate and champion roles, helps create a business-driven cyber culture. “In PepsiCo Ireland we recognise the importance of having a best-in-class, up-to-date and relevant annual cybersecurity training programme for all employees,” he adds.
“We maintain a strong in-house cyber training capability while partnering with industry leaders to provide always-on training pathways. Alongside training and certification, we embed cyber awareness programmes that run year-round, with up-to-date content cascaded through our business functions. We also deliver advanced cyber programmes to facilitate employees who want to learn even more.”