The Fight for Cybersecurity Awareness

Investing in cybersecurity skills creates a safer digital world for everyone.

Erik Gross, Deputy CISO, QAD

April 8, 2024

3 Min Read
Digital blue umbrella made up of 1s and 0s fending off red skulls and crossbones, representing malware
Source: Mopic via Alamy Stock Photo

COMMENTARY

The recent movie The Beekeeper begins with a cyberattack against a victim unfamiliar with the tactics and techniques attackers use in today's technology-driven world. The film's protagonist, Adam Clay, played by Jason Statham, then goes on a digital vendetta to find the responsible adversaries and ensure they can't continue extorting victims through common cybercrimes.

As much as our security teams would love to do threat hunting like Clay, we lack the physical physique and combat skills. And we know spreading awareness is a far more effective approach. Keeping the workforce fully educated can be a monumental task. However, it's the one thing that can entirely mitigate threats that target individuals. Some of the new ways of training involve old techniques.

Adaptable > Repeatable

In cybersecurity, technology operates predictably, but humans do not. As security professionals, we need help remembering this. The distinction underscores the need for person-led training during an employee's onboarding. Interactive training acknowledges human complexity, emphasizing the importance of adaptability in response to new threats and individual learning styles. Unlike automated training, person-led approaches can quickly adjust to address unique challenges and learner needs, making them more effective in promoting a deep understanding of security practices.

How quickly can your organization adapt to AI-based threats? Since human error accounts for almost 90% of all data breaches, organizations that prioritize their work and resources on risk will have a difficult time finding anything more important than an educated workforce. Train people with people. Use security champions if your team needs more resources or has time zone constraints. But overall, try to do something other than automate the process. 

Build Storytellers

Creating a solid cybersecurity culture involves enabling employees to share their personal experiences with security issues openly. Most people have learned their most valuable security lessons based on stories from other people. Sharing security stories may not come naturally to employees, and we need to teach and promote this behavior. During training, ask employees to discuss how cybersecurity has personally affected them in the past. Ask them about their familiarity with safe password hygiene or social media posts. This open-discussion initiative can help them feel at ease with the topic and understand that the organization encourages it. 

Test the Response

Implementing specific tests and monitoring employee behavior is essential to gauge the effectiveness of a security program. We know new employees will receive the fake text message from the CEO requesting gift card purchases. Try a simple smishing or phishing simulation with new employees to see if they proactively reach out after detecting the attempt. If employees actively communicate with each other about phishing campaigns, share security-related news, or discuss various security topics, it shows they have a sense of confidence and proper education in cybersecurity. This level of engagement and vigilance among staff members highlights the program's effectiveness in fostering a proactive security culture. When you see it, be quick to reward it. 

Conclusion

Unlike The Beekeeper, we won't be able to hunt down the adversaries and kick some butt. Instead, developing a robust security culture through awareness is our fight against cybercrime. Encouraging employees to share their experiences with security enables a sense of community and vigilance. Personalized training plays a critical role in this ecosystem. It's not just about delivering information; it's about tailoring the learning process to meet diverse needs and respond to emerging threats. We can assess how prepared our employees are to identify and counteract potential threats through testing.

The benefits of these strategies extend beyond the office walls. We're not merely educating our workforce; we're equipping them with knowledge that transcends the professional environment. This empowerment boosts their confidence, making them safer and more adept Internet users, at work and in their personal lives. By investing in their cybersecurity skills, we're contributing to a safer digital world for everyone.

About the Author

Erik Gross

Deputy CISO, QAD

As the Deputy Chief Information Security Officer (CISO) at QAD, Erik Gross leads cybersecurity initiatives, blending his rich experience with a leadership ethos that encourages collaboration and adaptability. At Redzone, Erik was the Vice President of Security, where he was instrumental in developing the security program from the ground up. His professional roots in operational technology (OT) provided a firm understanding of industrial security challenges. His leadership emphasizes the essential role of people in cybersecurity, fostering a culture where teamwork and agility are crucial, thereby enhancing problem-solving and organizational responsiveness. His 15+ years of experience highlights a commitment to strengthening security practices while creating an environment where every team member's input is key to the collective cybersecurity effort.

 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights