Training employees to counter state-sponsored cyber terrorism

A time to refresh security awareness strategies in the wake of the pandemic and rise in cyber-terrorism.

Anup Narayanan, 25th August, 2020

Editorial article on training employees to counter the rise in state-sponsored cyber terrorism.

Photo by Christina Morillo from Pexels

The pandemic hasn't been too kind to cyber security managers. Attacks have increased, especially of the kind by sponsored state actors.

Success, visibility and cyber attacks

Success comes with a reward - high visibility.

The more successful an organization, the more visible it is. Higher the visibility, the more attractive it is for state-sponsored cyber criminals.

The reason is simple - gain entry and publicise the attack. The negative publicity accompanies humiliation along-with erosion in customer and stakeholder confidence. The cost is unquantifiable. The damage is long-lasting. Mission accomplished.

State-sponsored cyber criminals target organizations that are critical to the nation's economy. Count oil & gas, telcos, shipping, airlines, transportation, power plants and other major brands. With Covid-19, pharmaceutical giants are in the list.

Exploiting the human vector

State actors have unlimited resources at their disposal. The 2018 data breach investigation report by Verizon says that 70% of state-sponsored attacks used phishing emails. And, in 41% of such cases, the motivation is espionage. The malware in these emails exploits unpatched system vulnerabilities.

Since humans (employees) are the primary target, what can a cyber security manager do? While awareness training is a must, will the strategy change?

New security awareness strategies

Three important attributes must be integral to a security awareness program.

1. Real attack scenarios

2. Practical instead of theory

3. Continuous learning

4. Accountability

Real attack scenarios

Imagine all possible attack scenarios that cyber criminals may exploit.

Phishing, undoubtedly. What else? Online meetings, remote working, wifi, configuring VPN clients, using mobile devices as hotspots, using the cloud safely etc.

Practical instead of theory

Put theory to the dustbin. Go practical. Instead of "password security", focus on "how to set up a password manager". Instead of "encryption", focus on "how to configure a VPN client in your mobile device". Make security awareness "useful". The employees will appreciate it.

Continuous learning

Gone are the days when an annual training session would suffice. Awareness must be regular, with new topics. Since employees are busy and mobile, micro-learning makes sense. Short, flexible and fast, micro-learning keeps your program always ON.

Accountability

If you are putting in the hard yards to deliver awareness, then the employees must be held accountable for any breaches. Create a clear system that explains what you expect from them in return for quality awareness training. After all, it is your time, your knowledge and your job.