Cultivating a Culture of Cybersecurity Awareness

Cybersecurity Awareness – The Human Factor

Today, we’re joined by cybersecurity experts Scott Dawson, President of Core Business Solutions, Rick Krick, Director of Security Solutions, and Reagan Jorgensen, Security Solutions Technician.

This article and webinar delve into the critical role of the human factor in cybersecurity, exploring how human errors or behaviors can put your systems and data at risk.

Bad Guys, Who Are They?

People are targets for cybercriminals to penetrate a network or steal information. Behind these attacks are people who often seek to disrupt an organization or profit monetarily.

What are some Profiles of Cyber Criminals?

Real Individuals with Varied Roles:

Cybercriminals can range from highly skilled programmers to untrained individuals who purchase hacking tools. They are often part of organized crime groups, which operate like businesses with defined roles such as developers, strategists, and attackers. Alternatively, they can be lone wolves motivated by personal goals or ideologies.

Global Operators:

Many cybercriminals operate from overseas, taking advantage of legal loopholes, jurisdictional challenges, and limited international collaboration to avoid detection and prosecution. In some cases, these individuals find safe havens in countries with weak legal frameworks or even benefit from state-sponsored programs that shield their activities.

Adaptive and Evolving:

Cybercriminals continuously adapt to emerging technologies and trends, learning from past failures and improving their methods to exploit new vulnerabilities.

What Defines the Cybercriminal Industry?

Dark Web Ecosystem:

This industry thrives on the dark web, where hacking tools, malware, and sensitive data are traded. Platforms such as Reddit, Discord, and Telegram provide forums for sharing knowledge, forming partnerships, and planning attacks.

Hacking as a Service (HaaS):

Many groups offer hacking services for hire, catering to clients who lack technical expertise. These include ransomware campaigns, denial-of-service attacks, and phishing schemes.

Professionalization of Cybercrime:

Organized groups operate with a business mindset, including customer support for malware buyers, affiliate programs for ransomware distribution, and detailed analytics to measure the success of attacks.

What are Some Common Tactics Cybercriminals use?

Insider Exploitation:

Cybercriminals target users with authorized network access, such as employees or contractors, who might unintentionally or maliciously provide access to sensitive systems.

Sophisticated Social Engineering:

They manipulate individuals through phishing emails, fake websites, and impersonation to gain trust and trick them into revealing credentials or installing malicious software.

Advanced Exploit Techniques:

Utilizing zero-day vulnerabilities, malware, and trojans to penetrate systems that lack up-to-date patches and security protocols.

Leveraging Open-Source Intelligence (OSINT):

Cybercriminals often gather publicly available data from social media and online databases to craft highly targeted attacks.

What are the Most Common Motivations Behind Cyber Attacks?

Financial Gain:

The most common motive, involves direct theft of funds, ransom payments from encryption-based attacks, or selling stolen data on the black market.

Revenge and Personal Grievances:

Targeting specific organizations or individuals to settle perceived wrongs or humiliation, such as disgruntled employees hacking their former employers.

Political and Ideological Goals:

State-sponsored or hacktivist attacks aimed at disrupting elections, undermining governments, or spreading propaganda for ideological purposes.

Corporate Espionage:

Gaining access to proprietary data or trade secrets to undermine competitors or assist rival entities.

Why is It Important to Understand Cybercriminals?

Targeted Defense Strategies:

Improved Incident Response:

Knowledge of how cybercriminals operate aids in developing robust response plans, ensuring quick containment and recovery when an attack occurs.

Global Collaboration:

Gaining insights into the international nature of cybercrime encourages cross-border partnerships and the sharing of intelligence to tackle crimes that transcend jurisdictions.

How do Cybercriminals Approach an Attack Against Users?

• • Cybercriminals often disguise themselves as someone you trust, such as a colleague or a boss, to manipulate you into giving them sensitive information or money.
  • In many cyber thefts, the attacker pretends to be an internal company member, using an email address that looks legitimate to trick you.
  • They create a sense of urgency, such as insisting on an immediate money transfer to address a fake crisis, often pretending the request comes from top executives to prompt a quick reaction without much thought.
  • Cybercriminals use details specific to their job or personal life, making their requests seem valid. This could involve information about a current project you are working on or recent office events.
  • Attackers are increasingly skilled at crafting messages that seem genuine by using information that only insiders would know.
  • They observe and copy how employees communicate within a company, such as using emails for requests, which helps them blend in and makes their deceptive messages hard to distinguish from real ones.
  • What we need to recognize is that attackers are motivated and cunning, and they see you as the easiest way into your company’s network.

What Does the Term “Human Firewall” Mean?

• • Employees are the first line of defense against cyber threats.
  • Training and awareness help them to recognize and respond to risks, improving overall security.
  • It’s a shared responsibility of every user of a company’s systems.
  • Despite technological advancements, people are unpredictable and can be manipulated by cybercriminals. For example, employees may inadvertently click on malicious links, share sensitive information, or fall victim to social engineering tactics.
  • Lack of awareness about cybersecurity and the consequences of risky behavior makes this even worse.
  • People are the weakest link and attackers know this. Attackers are drawn to the path of least resistance. Technology-based defenses can be difficult to penetrate using technology-based methods, cybercriminals have increasingly targeted employees as the easiest way to attack successfully.

Combating Cybercriminal Insider Tactics

• • We mustn’t have the attitude that “it can’t happen here.”
  • Be aware of early warning signs such as people accessing systems at unusual times or in ways that don’t fit their job responsibilities.
  • Every company should set up a way for employees to raise an issue confidentially and without recrimination. Maybe as simple as designating someone for them to contact.
  • It is also vital that your company adopt a culture of security that makes it everyone’s responsibility to help keep the company safe. 

What are some Topics that Should be Addressed in a Cybersecurity Training Program?

Password Hygiene:

Phishing Awareness:

• • Conduct regular training sessions to help employees recognize common phishing tactics, such as suspicious email addresses, urgent requests, or unfamiliar links.
  • Incorporate simulated phishing exercises to test awareness and reinforce safe email practices in a real-world context.

Data Handling Protocols:

• • Establish clear guidelines for handling sensitive information, including when and how to use encryption for protection.
  • Promote secure storage and sharing practices, ensuring data is only accessed by authorized individuals through approved channels.

Device Security:

• • Implement measures to secure all devices, including laptops, smartphones, tablets, and Internet of Things (IoT) devices, from unauthorized access or data breaches.
  • Encourage employees to regularly update software, use strong passwords, and avoid connecting to unsecured public Wi-Fi networks.

Incident Response:

• • Train employees on how to promptly identify and report potential security incidents, ensuring they understand that quick action is critical.
  • Provide clear steps for handling breaches or cyberattacks, emphasizing that “not knowing what to do” should immediately trigger seeking guidance or reporting the issue.

How to Build a Culture of Security Awareness

What is a Security Culture?

More Than Just Awareness:

Security culture goes beyond simply knowing about risks or threats. It’s about embedding security-conscious thinking into everyday actions and decisions, ensuring that protecting sensitive data and systems becomes second nature to everyone in the organization.

Collective Behavior and Norms:

It encompasses the shared behaviors, attitudes, and practices that define how security is perceived, prioritized, and handled within the organization. A strong security culture means employees instinctively align their actions with the organization’s security objectives.

Defined Expectations and Responsibilities:

Building a security culture involves setting clear expectations about cybersecurity responsibilities for every individual, from top leadership to entry-level staff. These include personal accountability for secure behaviors, such as using strong passwords, being vigilant against phishing, and adhering to data protection protocols.

Behavioral Standards and Integration:

Ongoing Reminders and Reinforcement:

A good security culture provides consistent reinforcement of cybersecurity’s importance. Through training, regular updates, and leadership modeling, employees are reminded that security is a shared responsibility critical to the company’s success and safety.

Employee Empowerment and Engagement:

A strong security culture empowers employees to speak up and take action if they notice suspicious behavior or potential vulnerabilities. It encourages a proactive mindset, where everyone feels responsible for identifying and addressing risks.

Leadership as Role Models:

Leaders play a crucial role by modeling secure behaviors and openly supporting cybersecurity initiatives. Their engagement sets the tone for the organization and underscores the importance of adhering to security protocols.

Foundation for Resilience:

A robust security culture creates an environment of trust and vigilance, reducing the risk of human error and ensuring the organization can respond effectively to evolving threats.

How Can a Company Develop a Good Security Culture?

Leadership buy-in:

Engaging executive leadership to support cybersecurity initiatives and allocate resources for training and awareness programs.

Employee engagement:

Involving employees in developing and implementing security policies, and encouraging ownership of cybersecurity responsibilities.

Regular communication:

Using various channels to reinforce security awareness messages and provide updates on emerging threats.

Recognition and rewards:

Acknowledging employees who demonstrate exemplary cybersecurity practices and incentivizing participation in training programs.

Continuous improvement:

Soliciting feedback from employees to identify areas for improvement and adapt security awareness strategies accordingly.

Cybersecurity Questions to Consider:

• • Does your company have a strong security culture?
  • How seriously does my company take security?
  • How often is it discussed?
  • Do we put our money where our mouth is?
  • Do we practice what we preach?

What Security Tools or Techniques Can Be Used to Reduce the Chances of Human Error?

Organizations need to maintain cybersecurity awareness, but the better solution has always been to limit users’ ability to cause damage.

How can Technology help Prevent user Error and Malicious Actions?

Building a Resilient Security Culture

Building a Human Firewall:

To mitigate the risks posed by human factors, organizations must foster a shared culture of cybersecurity built on consistent habits, behaviors, and shared understanding among all employees. This “human firewall” is a critical line of defense against cyber threats.

Organizational Commitment:

Establishing a robust security culture requires genuine commitment from leadership and across all levels of the organization. Recognizing that even one lapse in security can result in significant breaches is key to maintaining vigilance and accountability.

Role of Employees:

Employees are the first and most critical line of defense. Without adequate training and a strong security mindset, they can become liabilities; however, with proper guidance, they can transform into a powerful barrier against cyberattacks, proactively protecting the organization.

Investment in Security Culture:

Safeguarding sensitive data, protecting stakeholders, and maintaining proprietary information demands consistent investment in developing and sustaining a resilient security culture. This includes funding for training, tools, and initiatives that embed security into the fabric of the organization.

If you are interested in some practical resources for improving your company’s cyber security and strengthening your human firewall, I’d suggest you check out the free cybersecurity resources from KnowBe4. I mentioned we use their training. We also use their phishing testing that helps to reinforce the training. Here is the web page for KnowBe4’s free resources