Security Awareness for… series: What do Chief Executives want from Security Awareness Training?

Technology and Psychology – The Cybercriminal’s Toolkit

If you’d asked anyone about Cybersecurity problems ten years ago you’d likely get a shrug of the shoulders and a nonchalant look. Today, you would have to have been asleep for several years not to have noticed that cybercrime has hit the roof and security incidents have impacted the minds, and pockets, of us all.

One of the innovations that has given cybercriminals the upper hand has been the use of not only technology but human psychology to enact their criminal activities. Many modern cyber threats use our own behaviour as part of an often, multi-pronged attack. The jigsaw puzzle needed to fix cybercrimes is complicated. The result of cybercriminal activity can be seen in the statistics collated by industry analysts and firms fighting on our side.

• Number of breaches. In 2017, we saw a doubling of cyber attacks.(1) Companies of all sizes and types were under siege. We witnessed major breaches like the Uber and Equifax data leaks in which hundreds of millions of personal data records were exposed. In 2016, there was a reported ransomware attack every 40 seconds. (2) As we move into 2018/2019 the attacks are morphing into new methods such as cryptojacking which saw an increase of 8500% in 2017. (3)
• Cost of breaches. The Ponemon Institute provides an annual insight into the costs of cybercrime across all types of organisations. In their 2017 report, they found that in the UK, for example, the average cost of a data breach was £2.48 million (4)
• Type of breaches. The one thing you can predict about cybercrime is that it is ever changing. Breaches, however, focus on certain core outcomes which include: the theft of data; denial of service (e.g. to shut a website down); sabotage; and, financial theft, including ransomware. Cybercriminals use a variety of techniques to achieve their end goal. This includes: web attacks such as SQL injection and XSS; phishing to steal login credentials or install malware; Distributed Denial of Service (DDoS); Business Email Compromise (BEC). One thing you can be sure of is that cybercriminals innovate.

All in all, the landscape of cybercrime is convoluted, complex, and changing. It takes an intelligent and proactive approach to deal with this and make headway.

In this short series of articles, we will take a look at how having an awareness of cybersecurity threats and building a culture where security becomes second nature, affects different organisational roles. And, how applying security awareness campaigns to combat cybercrime, places the ball in the court of your organisation, rather than the cybercriminal’s hands

Chief Executives On Security

Heading up a company is an amazing opportunity in life. You get to steer your ship and hopefully keep it on course and heading towards sunshine bays. But, of course, it is also one of the hardest jobs on the planet. You often have to wear multiple hats and manage staff and operations across the business. Keeping the ship from hitting rocks is hard enough at the best of times but when adverse forces try to steer you off course, it just makes the job even harder.

When a cyber incident happens, the Chief Executive is hit hard.

Here are a few examples of how cybersecurity incidents have touched the work and lives of those at the C-level.

• Business Email Compromise (BEC) is doing a roaring trade. Around $5.3 million USD worldwide, was lost between 2013-2016 according to the FBI.(5) In a BEC attack, cybercriminals often pose as a C-level person, using various methods to scam the company out of money. One victim of a BEC scam was Walter Stephan. Mr. Stephan was the CEO of Austrian company FACC Operations GmbH. He was sacked after the organisation lost $47 million due to a BEC scam.
• Heads roll when a data breach happens. In the massive Equifax breach of 2017, where around 143 million customer records were exposed, a number of C-level persons either “stepped down” or were dismissed. This is not an uncommon outcome. Other data breaches such as the 2013 Target Corp. security incident, resulted in class actions and the sacking of their CEO.
• Plunging shares are also commonly seen post a cyber-attack. The latest mega breach to hit our screens was the British Airways incident which resulted in the personal and financial details of 380,000 customers being exposed. This incident resulted in a share price drop. This reaction by the markets is common. Equifax experienced a 33% drop in price after their 2017 data breach. C-level staff are often also shareholders, so a breach can be a double whammy for the chief execs.
• And then there is that old nugget, reputation. Brand loyalty is impacted when data losses like the British Airways breach touch the lives of your customers. A Chief Executive is reflected by their customers respect so brand damage can be very personal for the Chief Executive.

All in all, the effect of a cybersecurity breach on the Chief Executive and their C-level team is professional, commercial, and personal.

What security awareness can offer the Chief Executive

Fighting fire with fire in the world of modern cybersecurity threats has two aspects, the tools of the trade and the knowledge of the way it all works.

Security awareness training helps to build the latter. But the tone starts at the top. Ultimately, the Chief Executive and their team are the pivot upon which a culture of security turns. Having a smart, companywide, security awareness training program in place will reap many benefits including:

1. Build companywide awareness: Having your company fully up to speed on how cybersecurity ticks is no longer a nice to have, it is a must have. Creating a company that has an intrinsic culture based on safety and security will benefit not just your C-level team but your entire organisation.
2. Cost benefits: Security awareness training is a cost-effective way to deal with a complicated situation. The ROI of security awareness is demonstrated by preventing attacks. Seeing your employees learn how to spot a phishing email, however, is only part of how a holistic security awareness training program can be used to manage cyber threats across your entire organisation.
3. Gamification of cybersecurity: Chief executives become part of the push to a secure organisation using a method that can actually be fun. Security awareness training that integrates gamification techniques shows greater uptake and improved awareness by employees.
4. Safer environment: The ultimate outcome is to create a safer environment for your staff and your customers.
5. Safer brand: And, with a safer environment you build a reputation for being one of the good guys or gals.

In Conclusion

As Chief Executive of an organisation, you are in a unique position to encourage the creation of security culture in your company. Leading by example will enthuse an attitude down to the troops that will pervade throughout their daily work. Being secure by using security awareness training will become second nature and will benefit everyone. As Chief Executive, you play a central position in encouraging and building a security-aware organisation. Where there is a will, there’s a way. You have the drive to make your business a success. This same mental attitude will allow you to take on the complex landscape of the cybercriminal and win.

Resources

• Online Trust Alliance: https://otalliance.org/news-events/press-releases/online-trust-alliance-reports-doubling-cyber-incidents-2017-0
• Barkley Blog: https://blog.barkly.com/ransomware-statistics-2017
• Symantec, 2018 Internet Security Threat Report: https://www.symantec.com/security-center/threat-report
• Ponemon Institute: 2017 Cost of Data Breach Study: United Kingdom: https://www.ibm.com/security/data-breach
• FBI: https://www.ic3.gov/media/2017/170504.aspx