Equipping staff to deal with cyber threats

There is no single or short answer as to what sort of training techniques are most effective in combatting cyber-attacks.

However, it is clear that cyber awareness education must evolve as quickly as cyber criminals can craft a new attack.

“The majority of cyber attacks, unfortunately, start with phishing,” says Tony Anscombe, chief security evangelist at ESET.

He holds the position that remote and hybrid work models have contributed to increased cyber risks, simply because people are more likely to click on phishing emails in the comfort of their own homes as opposed to an office setting with potential witnesses.

Eric Skinner, vice-president of market strategy and corporate development at Trend Micro, adds that remote work meant corporations lost network visibility of their employees. In some cases, corporations have also lost visibility to the very computers employees use as some chose to work on personal devices.

“The saving grace with respect to email is that the corporate email system is still centralized,” says Skinner.

The great resignation has also contributed to increased vulnerability in the cyberspace, according to Ernst & Young Canada’s cybersecurity leader Yogen Appalraju.

He says that for the first time, many people left roles in the finance sector, which is not known to have particularly high turnover rates. This meant people resigned from their positions at places like banks — institutions that have traditionally invested heavily into fraud prevention, phishing awareness and cybersecurity training.

“If I think about what is the most fundamental issue companies are facing today, it’s that if you lose some of your skilled people, you can’t train the new entrants coming in,” says Appalraju, explaining that organizations sometimes rely on company veterans to school new-hires in cybersecurity best practices. When staff with seniority leave, it creates a knowledge gap.

As Anscombe describes, many cyber risk insurance firms now require companies to conduct training around phishing and cybersecurity.

However, the type of training that has shown to prevent cyber attacks from entering corporate networks begins with providing staff with a clear understanding of how phishing works.

Content falsely implied in many phishing attempts relates to contemporary events in the world. For example, during the onset of the coronavirus pandemic, many phishing emails contained messages about masks and PPE. More recent phishing attempts have used the conflict in Ukraine to reel in clicks in those moments before people stop to think.

Commitment to training
Though more and more companies have taken measures to ensure their staff receive training, Anscombe says that educating workers just to meet the minimum requirements of insurance firms is insufficient.

“It’s typically on an annual basis. I personally think it should be done far more frequently,” he says.

For Anscombe, cybertraining should be more of an ongoing, constant element in the workplace. Phishing attempts that land in the inbox of one staff member for instance, should be shared with all other members of the organization as an example of a live, current phishing attempt.

“I think it’s important that teachings make sure that people understand what phishing is when it’s happening,” says Anscombe. “It’s not, ‘Next year, I’m going to show you some of these examples that are from last year.’”

Appalraju also states that training must be ongoing as phishing attacks are becoming more sophisticated. Fortunately, training has become commercially available for companies to purchase and provide to their staff.

Imparting cybersecurity education is only half of the equation. Appalraju says companies must test their training through mock attempts to see whether members of their organization still click on simulated phishing.

Skinner recalls a time in cyber history when phishing emails were detected almost effortlessly. They often contained grammatical errors and poor spelling, and this made it relatively easy for employees to discern.

Over the years, attackers have accounted for the details that might make their messages stand out from the rest. The spelling and grammatical errors are gone, and they now use better graphics. They have compromised internal email addresses, enabling them to pose as CFOs or other executive roles within a company.

Skinner says this increased sophistication in the style of attacks has brought on a wave of new technologies that is focused on fraud detection.

Trend Micro has deployed an AI-based technology to conduct writing style analysis. “So, we can figure out whether this is how the CFO really writes, or does this claim to come from the CFO but does not match the writing style.”

Checks and balances
While training is an important piece of a company’s cybersecurity strategy, reliance on training places too much of an onus on employees, according to Skinner.

Since cyber attacks are ultimately financially-motivated, Skinner advises financial teams within a company look at their internal processes. Even if a compromised business email leads a staff member to pay an invoice, there should be enough checks and balances within the execution of that decision that prevent funds from ever leaving the company.

Further to this, as it is people in senior management or executive roles who often become the targets of phishing and false invoices, companies can and should do much more than simply take C-suite employees through a simulation. Skinner said IT and cyber staff can sit down with executives and have more personalized conversations that teach subtle clues in phishing attempts.

“We really have to expand beyond thinking that this is primarily the employee’s job to do the right thing and recognize these emails,” says Skinner. “In the cybersecurity community, whether we’re vendors or practitioners, we have to step up and help make it way more safe for employees to click on things and messages instead of blaming employees.”

One of the world’s experts in malware research remembers an era during which companies followed policies that terminated employees who caught viruses on their computers.

Rob Slade, an author, senior instructor and course developer with (ISC)2, adds that environments that cast blame, as Skinner describes, might only cause people to hide an error.  “Punishment is not the answer. Education is the answer,” he says.

When it comes to protecting an organization against a more sophisticated level of attack like ransomware, the best source of protection is a highly skilled cybersecurity department. As Appalraju says, ransomware attacks are not solved intuitively.

Training the trainers
“The type of cyber team you have internally, or the type of support you are getting and procuring externally makes all the difference in the world,” says Appalraju.

Companies have caught on in the last few years, he adds. Clients of E&Y, for example, are placing more emphasis on elevating their cybersecurity teams to a higher level. They are also trying to hire candidates who have already acquired cybersecurity training and have demonstrated skills in that area.

Appalraju also suggested corporate executives take advantage of the many masters level cyber programs and MBAs now offered at universities to become better equipped as leaders.
“Most organizations should encourage that, especially the high performers who are well-positioned for management roles in the future. Train them early on by sending them to some of these formal programs,” he says.

Where internal cyber teams are concerned, training continues to be an ongoing challenge for all organizations. As Appalraju says, more complex technology environments mean greater opportunities for bad actors to break in due to increased exposure.

Being extra judicious about who gets hired is a cybersecurity measure Slade can get behind, although he doesn’t think recruiters are doing a good job of this.

“When you do understand the technology, you understand what skills are involved in what they have done and how that can be transferred,” he says. After more than four decades in the industry, Slade has grown tired of hearing that companies cannot find trained people to hire for cybersecurity roles.

He believes the problem is in the approach recruiters take when they revise resumes or profiles on LinkedIn. They’re looking for what a potential candidate has already done instead of considering the technology and software they’ve already learned to use.

Instead, recruiters who understand the technology may be able to determine how this knowledge can be applied in a new role. Slade says incorporating this approach to hiring practices could prevent turnover in the long-term.

“If you can see that they’ve worked with three different compatible firewalls in the past, then hire that person and hand them the manual. In two days you’ve got somebody who’s pretty much up to speed.”