Anup Narayanan, 25th August, 2020
Photo by Christina Morillo from Pexels
The pandemic hasn't been too kind to cyber security managers. Attacks have increased, especially of the kind by sponsored state actors.
Success comes with a reward - high visibility.
The more successful an organization, the more visible it is. Higher the visibility, the more attractive it is for state-sponsored cyber criminals.
The reason is simple - gain entry and publicise the attack. The negative publicity accompanies humiliation along-with erosion in customer and stakeholder confidence. The cost is unquantifiable. The damage is long-lasting. Mission accomplished.
State-sponsored cyber criminals target organizations that are critical to the nation's economy. Count oil & gas, telcos, shipping, airlines, transportation, power plants and other major brands. With Covid-19, pharmaceutical giants are in the list.
State actors have unlimited resources at their disposal. The 2018 data breach investigation report by Verizon says that 70% of state-sponsored attacks used phishing emails. And, in 41% of such cases, the motivation is espionage. The malware in these emails exploits unpatched system vulnerabilities.
Since humans (employees) are the primary target, what can a cyber security manager do? While awareness training is a must, will the strategy change?
Three important attributes must be integral to a security awareness program.
1. Real attack scenarios
2. Practical instead of theory
3. Continuous learning
Imagine all possible attack scenarios that cyber criminals may exploit.
Phishing, undoubtedly. What else? Online meetings, remote working, wifi, configuring VPN clients, using mobile devices as hotspots, using the cloud safely etc.
Put theory to the dustbin. Go practical. Instead of "password security", focus on "how to set up a password manager". Instead of "encryption", focus on "how to configure a VPN client in your mobile device". Make security awareness "useful". The employees will appreciate it.
Gone are the days when an annual training session would suffice. Awareness must be regular, with new topics. Since employees are busy and mobile, micro-learning makes sense. Short, flexible and fast, micro-learning keeps your program always ON.
If you are putting in the hard yards to deliver awareness, then the employees must be held accountable for any breaches. Create a clear system that explains what you expect from them in return for quality awareness training. After all, it is your time, your knowledge and your job.