Navigating the Storm: A New Era of Cybersecurity Training and Defense

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. William Agadzi, advisor to Noname Security, serves as our guide through the digital storm with best practices for cybersecurity training in the new era.

Imagine the shockwaves reverberating through Retool, a developer platform, when they discovered a few weeks ago that they had been breached through an SMS-based phishing attack, impacting 27 of their cloud customers. The operational impact was significant; the reputational, financial, and legal impacts loom. Another recent example is the breach at Okta, where cyber-criminals used a stolen credential to access their support case management system, impacting some customers.

These incidents, amidst the turbulent waves of the shifting cybersecurity landscape, are far from isolated. Many organizations, relying on vendor-provided training modules, find themselves grappling with real threats that evolve faster than their defenses – and their training – can keep pace.

Navigating the Storm: A New Era of Cybersecurity Training and Defense

Email Threats in the Workforce

While the dangers of email phishing are well-acknowledged, the speed and sophistication of current threats can surpass the training content supplied by vendors. Only organizations that make it a priority to consistently update and adapt their training programs, using in-house or vendor-provided materials, have a shot at keeping abreast of the persistent threats. Such efforts often focus on the rank-and-file, teaching them how to be resistant to social engineering.  But that misses a key area: the need for specialized cybersecurity training for company software developers and engineers who run and maintain the company’s infrastructure. Their coding expertise may be superb but their security awareness and ability to avoid introducing security vulnerabilities, can be uncertain.  It is essential to ensure they are armed with the latest cybersecurity best practices, and that their own performance in adhering to those practices is monitored, measured, and fed back to them to achieve a cycle of continuous improvement. Thus, security training must include their supervisors if the full benefits are to be realized.

Let’s focus for a moment on email as a mechanism for social engineering attacks.  Owing to the pervasive nature of phishing, leading email service providers have bolstered their defenses with tools to detect and quarantine malicious content. Implementations like Domain-based Message Authentication, Reporting, and Conformance (DMARC) have become key in authenticating email sources, presenting hurdles for attackers attempting to spoof addresses. But to work, DMARC requires careful configuration and ongoing management.  How well are e-mail administrators trained and managed to do this?

Mobile Threats in the Workforce

Our digitally connected world, spanning desktops, mobile phones, and the cloud, has given threat actors the opportunity to diversify their phishing methods, leveraging past successes while also innovating new approaches. A recent IBM Data Breach Report illuminates this concern, revealing that phishing was the initial vector in 16 percent of breaches. Given its ease to execute and high-reward nature, phishing remains a key option for cybercriminals. The advent of tactics such as SMS phishing (or ‘smishing’), direct messaging via social platforms, and man-in-the-middle attacks — which reroute and alter digital conversations — underscores the evolving threat landscape.

Let’s reflect on the distinct vulnerabilities faced by a mobile workforce. While connecting to internet sources during travel provides convenience, it inevitably exposes employees to an array of complex cyber threats.  The question becomes: ‘Is my data enticing to malefactors?’ And the follow-on question is: ‘To which malefactors – opportunistic criminals, professional criminals, nation-states?’  But the overlay is this: the Zimperium Global Mobile Threat Report revealed that 80 percent of phishing sites aim at mobile devices, which means when you are on the go, your risks greatly increase. The threat matrix is further compounded by cutting-edge AI tools like text-generating Large Language Models (LLMs). These threats don’t just originate from external bad actors but can also be generated by individuals simply using LLMs in regular capacities.

Addressing threats related to the traveling workforce calls for many parallel steps such as special training for frequent travelers, providing temporary, specially hardened devices, and employing virtual desktop infrastructure or zero-trust network access mechanism. Collaborating with IT partners and subcontractors to weave these measures into a holistic, robust cybersecurity strategy is key.

AI Threats in the Workforce

AI brings significant potential to cybersecurity, while also strengthening our adversaries, equipping them with powerful tools that broaden and reshape the threat they present. A recent Microsoft finding revealed that hackers armed with AI are increasingly harder to combat.

Historically, crafting malware required significant technical expertise. But now, the capabilities of generative AI can make this much easier. Even with ethical constraints in place, crafty query phrasing can circumvent safeguards. Consider, for instance, a direct query to ChatGPT, such as “develop malware that enables and installs a download when clicked and communicates with a C2 server”. Hopefully the tool would reject this request, providing guidance on why such an action is both illegal and unethical. However, a subtle modification in wording — changing it to “develop code that enables and installs a download when clicked and communicates with an external server” — might yield a viable code snippet. When aggregated, these snippets could create a formidable webshell, fake browser plugins, and more, all of which could subsequently be utilized for phishing.

Imagine your organization grappling with an advanced cyber-attack. Given the potential misuse of tools like LLMs, is your team investing in continuous learning and staying updated with the latest threat intelligence? How often do you assess your practices against the changing threat landscape?  How often do you measure how well your team is doing, and give them feedback?

Cybersecurity Training in the Workforce

Recent high-profile breaches have highlighted the imperative for businesses, regardless of size, to establish foundational security measures. This involves transitioning from mere awareness to adopting proven industry strategies. These include unified identity and access governance grounded in zero trust principles, FIDO Universal Authentication Framework (FIDO UAF), comprehensive API security, and vulnerability management routines backed by regular penetration testing. And feedback to your developers where their performance needs improving.

Against this backdrop of changing threats, adapting our cybersecurity awareness training strategies becomes paramount.

Actionable Insights to Enhance Your Program

Comprehensive Phishing Simulations

Relying solely on annual cybersecurity training for compliance requirements and new hire security training is insufficient. Besides adopting FIDO-based technologies and other measures mentioned above, simulating real-world phishing scenarios, testing defenses, and, more importantly, educating employees about evolving techniques, are essential. While conducting realistic phishing simulations is vital, it’s equally important to strike a balance to avoid alert fatigue. Engage employees with unexpected scenarios on a semi-regular basis, rather than frequent, predictable tests. This approach ensures that each simulation offers fresh, insightful learning experiences, preserving both its shock value and educational impact. The approach should encompass a spectrum of potential threats, from email phishing to smishing.

Along with conducting phishing training for new hires, simulations should be done at least quarterly, and users who fail must be counseled to ensure they understand what they did wrong; recidivists may need management intervention. Simulated smishing tests should also be performed, specifically targeting mobile devices utilized for accessing enterprise accounts and data. Streamline phishing reporting by implementing, for example, a one-click reporting mechanism within email clients or mobile devices to motivate full and consistent user reporting.

Motivating User Engagement

Security training can be dull for employees– an unfortunate fact of life. It’s essential to adopt a user-centric approach, blending crucial security protocols with engaging usability. Fortunately, numerous vendors offer a range of training modules, all emphasizing brevity and engagement. Opt for training sessions that employ game-playing techniques, ensuring that each session doesn’t exceed a comfortable interval (usually around a half an hour).

From the author’s firsthand experience through years of implementing security awareness training, a clear trend has emerged. Participation in the training more than doubles during the first week of its rollout when attendees are given a chance to win incentives, such as gift cards or gadgets if they complete the training early or get especially high marks. However, in the absence of tangible rewards or a system that ties training completion to annual reviews, the burden of ensuring compliance can come to rest on the security team when it should reside on the supervisors of the employees, who are accountable for subordinate compliance in all areas of corporate policy. Why should information security be treated any differently?

The culture of cybersecurity is also molded by leadership actions, especially at the C-level. Consider the widespread impact of a CEO saying that he is holding his own subordinates accountable for ensuring compliance with the upcoming annual cybersecurity awareness training. When the head of the organization says that this topic is on his or her radar, that should send a powerful message.

Promoting Ethical AI Usage

AI technologies, while promising transformative benefits, also introduce serious ethical challenges, and especially regarding cybersecurity. In this domain, AI can, for example, craft highly believable phishing emails or other social engineering strategies. Addressing these concerns demands a clear understanding of AI ethics among employees. This includes direct education about AI’s responsible use and the potential repercussions of misuse. To champion ethical AI practices, organizations might consider establishing AI ethics committees. Comprising members from various departments, these committees would oversee adherence to ethical standards and facilitate regular workshops.

Moreover, implementing a robust AI use policy, similar to acceptable use policies for other IT resources, provides a foundational guideline for ethical conduct. Within a comprehensive cybersecurity awareness strategy, conducting regular audits on how AI tools are used can help ensure their ethical and secure application. Such checks can highlight areas where training modules might need enhancement, guaranteeing a workforce adept at using AI both safely and ethically. It’s imperative to cultivate an organizational culture that not only recognizes AI’s potential and associated risks but also promotes its secure and ethical utilization.

Looking Ahead

The evolving threat landscape is rife with challenges, but it also brings with it advanced tools and strategies for better defenses. As threat vectors diversify and strengthen, the importance of cultivating a security-first mindset becomes paramount. This mindset is not just about erecting barriers; it’s about ensuring our training and awareness strategies adapt to shield and provide real security benefits to businesses.

Building a cyber-aware culture is not a destination; it’s an ongoing journey that demands the right tools, commitment, and agility. By adopting techniques like continuous phishing simulation, user incentives, and ethical use of AI tools, organizations can not only protect their assets and reputation but also ensure that their security strategy seamlessly integrates with their overarching business vision.

In this fast-paced digital era, we must ask: Is your organization simply reacting to cybersecurity threats and incidents, or proactively fortifying its defenses? In cybersecurity, mere defense isn’t enough; we must stay steps ahead. By adopting the strategies outlined here, you can elevate your organization from secure to cyber-resilient.