Cybersecurity education could be compared to taking an exam. You learn something to prepare for the test, but if you don't use that knowledge again for a long time, you forget it. This is often the case with cybersecurity training for employees, which takes place once or twice a year. Education should be an ongoing process for best results.
Cyberattacks are becoming more sophisticated every day. But if you manage to increase the vigilance of your employees, staff members can become one of your most effective security controls.
Wondering how to come up with effective new forms of employee training? Read our interview with ESET Chief Information Security Officer Daniel Chromek.
It seems clear that it is necessary to raise employees' awareness of cyberthreats. Nevertheless, many employees are still unable to detect cyberattacks. What keeps companies from resolving this situation?
Companies may generally underestimate cybersecurity education or keep it on the same level while cyberattacks improve, evolve, and change over time. We can no longer rely on key features of fraudulent emails, such as poor grammar or logical mistakes, to recognize attacks. Both the content and visual form of these attacks are getting more and more sophisticated. I don't think we're that far from the point at which many people won’t be able to distinguish phishing from standard emails. Also, there is a risk of more frequent vishing, even though simulating a phone call from a certain number is difficult to perform in real time. But it’s not difficult to grab the CEO voice from YouTube and then prepare the vish beforehand to convince people to transfer money.
What about deepfakes or facial recognition systems? Will they also affect the form of future attacks?
Definitely. There already are deepfakes that are hard to distinguish from reality, especially in the video. However, deepfakes are much more difficult to do when used in a real-time interaction, as in a simulation of a video call. In general, it is easier to attack someone with a phishing email that contains text and static images rather than with an attack that requires direct interaction with the victim. Nevertheless, the PR impact of deepfakes spread via a social network may be a significant event today.
So, these types of attacks do not occur yet?
So far, I've only heard of a case from France, where a group of fraudsters staged a video call in which they used a silicone mask to impersonate a French defense minister and asked wealthy individuals and groups to financially support a fake government operation. Although it was not yet a computer-generated deepfake — it was more a bit of theater — we can expect that the problem will only get worse.
What are the stumbling blocks in teaching employees to recognize these attacks?
When I worked as an IT consultant a few years ago, I noticed that companies often think of cybersecurity as an issue that automatically falls under the responsibility of the IT department. But IT professionals are not always able to come up with training that people understand and are interested in. It's simply not as easy as it seems. It requires security know-how — about things like phishing, password choice, encryption — and also effective adult education know-how.
Do you think IT professionals should work with psychologists, for example?
Certainly. Or with someone who has a degree in adult pedagogy or simply knows how to make any person really remember certain facts and to change something in their behavior. Today, it is possible to pay for various customized trainings. Larger companies often solve this by working with both IT and HR departments. The key is to find someone who can deliver information to employees in a clear and interesting way. That’s why we see the gamification approach more often nowadays.
Do you think that the majority of small and medium-sized enterprises already have some form of employee training?
Yes. Most of them use at least some basic cybersecurity training — for example, training that is available on online platforms. But in my opinion, you need to do more if you want to build a cyber-aware culture in the company. When you train employees once a year, the result is the same as with other types of training — after “the exam,” students quickly forget what they learned — and then they are back to where they were at the beginning.
How often should the training take place?
As often as possible. In my opinion, it makes more sense to divide the information you need to convey into smaller chunks that employees can absorb. For example, use 10-minute videos that focus on just one key thing, or that summarize the four major changes resulting from the new policies. You can then distribute such simplified examples regularly to remind employees that it is important to monitor security issues. And if there is an attempted attack in the company, you can work with that and explain to employees how such an attack works.
Let's say I want to build a company that is resistant to cyberattacks from the ground up. What should every employee know?
First, everyone should know what the company wants from the employees. How are they to use the provided technology, and what sanctions await in case of loss or damages? These questions should be answered before something happens, ideally at the beginning of employment. Then there are a few standardized topics that cover basic security measures: how to set a strong password, how to use two-factor authentication — and, of course, how to recognize phishing and fraudulent websites based on characteristic attributes and message content. Employees also need to know to whom to report suspicious activity; how to use software or cloud services; what to do in case they see suspicious individuals within office premises; and how to use security technology, such as a password manager.
In addition, the company should explain to employees that if they get a company mobile device or an iPad, they should be careful about what they download and install on it. There are many fraudulent mobile applications, so it’s important to show employees where to look to verify an application before installing it. A similar thing applies to installing various programs on a computer while working remotely. And of course, the employee should also know whom to contact if something happens. At the end of last year, for example, we noticed fake calls from Microsoft — it was an opportunity to inform our employees about what to look out for and why this was happening at all.
Why should any company management avoid scaring people with the possible personal consequences of cyberattacks?
Because five minutes into such a scare, the employees stop listening, and the only takeaway they hold onto is that whatever they do will go wrong and end with their being fired or going to jail. The danger from creating such a defeatist mindset is that it can result in employees giving up from the outset and thinking there is no point in being careful, as they will mess up anyway. Therefore, it is better to communicate positively and to point out common threats and show how to avoid them — not only at work but also at home. We all have people who are dear to us, and when we can show employees how to protect not only their employers’ interests, but also those of their parents, spouse, or children in certain ways, it may spark their interest.
You often send quizzes to your colleagues. Is gamification a good way to explain all this to employees?
If used wisely, then sure. If you decide to try phishing simulation in a company, for example, you have to think about it a bit. The goal is not to catch as many people as possible, but to give them a chance to recognize phishing, and to “win” by defeating the attacker. When people know they have taken the right step and have been able to report an attack, it strengthens them.
Another nice example of gamification in cybersecurity training would be an interactive comic story with videos in which the main character goes on different missions and earns some points as he achieves the goals — successful players would get a small reward in the end.
Is this how a cyber-aware culture is created?
We have talked about all the little steps and things that help build it. Everyone across the company should know about key safety issues — from employees to C-level management. The goal is to be able to support security and, thus, the company itself. And when everyone understands that and notices what is happening around them, they will support the resilience of the whole company.