Technology and Psychology – The Cybercriminal’s Toolkit
In our Security Awareness for… series, we’ve already looked at what Chief Executives want from Security Awareness Training, so now we turn to consider what the Head of Information Security seeks.
If you’d asked anyone about Cybersecurity problems ten years ago you’d likely get a shrug of the shoulders and a nonchalant look. Today, you would have to have been asleep for several years not to have noticed that cybercrime has hit the roof and security incidents have impacted the minds, and pockets, of us all.
One of the innovations that has given cybercriminals the upper hand has been the use of not only technology but human psychology to enact their criminal activities. Many modern cyber threats use our own behaviour as part of an often, multi-pronged attack. The jigsaw puzzle needed to fix cybercrimes is complicated. The result of cybercriminal activity can be seen in the statistics collated by industry analysts and firms fighting on our side.
- Number of breaches. In 2017, we saw a doubling of cyber attacks. Companies of all sizes and types were under siege. Statistics by the UK government has found over 40% of businesses experienced a cyber attack in 2017 with that number rising to over 70% for larger firms. We witnessed major breaches like the Uber and Equifax data leaks in which hundreds of millions of personal data records were exposed. In 2016, there was a reported ransomware attack every 40 seconds As we move into 2018/2019 the attacks are morphing into new methods such as cryptojacking which saw an increase of 8500% in 2017.
- Cost of breaches. The Ponemon Institute provides an annual insight into the costs of cybercrime across all types of organisations. In their 2017 report, they found that in the UK, for example, the average cost of a data breach was £2.48 million
- Type of breaches. The one thing you can predict about cybercrime is that it is ever-changing. Breaches, however, focus on certain core outcomes which include: the theft of data; denial of service (e.g. to shut a website down); sabotage; and, financial theft, including ransomware. Cybercriminals use a variety of techniques to achieve their end goal. This includes: web attacks such as SQL injection and XSS; phishing to steal login credentials or install malware; Distributed Denial of Service (DDoS); Business Email Compromise (BEC). One thing you can be sure of is that cybercriminals innovate.
All in all, the landscape of cybercrime is convoluted, complex, and changing. It takes an intelligent and proactive approach to deal with this and make headway.
In this short series of articles, we will take a look at how having an awareness of cybersecurity threats and building a culture where security becomes second nature, affects different organisational roles. And, how applying security awareness campaigns to combat cybercrime, places the ball in the court of your organisation, rather than the cybercriminal’s hands
Head of Information Security On Security
The job of the Head of Infosecurity or the chief information security officer (CISO) in an organisation has changed dramatically in the last few years. Once upon a time, that role would have been seen as almost a sideshow. Now, with an onslaught of cyber-attacks now the norm, not the exception, the Head of Infosecurity is a vital part of keeping the business engine lubricated. No longer is the Head of Information security relegated to the back room, now this role dovetails directly with the organisation’s strategy.
This, of course, means that the role requires multiple talents to perform it well. The keeper of our business information security has to be both business savvy and technically capable. The rile places its owner at the frontline of the cybersecurity attack surface and allows them to act as the company guardian in all thing’s incident prevention.
In this role, cybersecurity incidents hit deeply, almost personally – here are some ways that the cybercriminals play with the ‘head’ of the Head of Infosecurity:
- Keeping up with the Joneses. Cybersecurity threats are nothing if not innovative and ever-changing. The job of Head of Information security means being always ahead of the game of cybercrime – trying to second guess those elements that are almost impossible to second guess. Cyber-preparedness is now a full-time occupation.
- Heads roll when a data breach happens. Along with other C-Level team members, Heads of Infosecurity are in the way of the axe when it falls, post a data breach. An analysis by Osterman Research, found the top three types of offenses that can result in an employee being fired include data breaches and non-compliance with regulations.
- Being the bigger person. As Head of Infosecurity you are where the buck stops when a cyber event happens. You are seen by the business as being at the coal face of cybercrime and you are the ‘go to’ person when anything happens. Sacking possibilities aside, it is a matter of pride for many to maintain a secure and safe environment for their business and employees. This puts a lot of strain on your shoulders. Being the bigger person means taking on a lot of responsibility and bearing down on the misdemeanours of other employees.
As a security professional, you have built your career around protecting a business against the harms of cybercriminals. But being in this front-line position also makes you a scapegoat; you need to protect yourself along with the organisation.
What security awareness can offer the Head of Infosecurity/CISO
As a security professional at the head of an IT security team, you will already have vast experience of the space. You will also know that this space is fluid. Keeping up with these changes and ensuring that the entire business is inline, requires team effort. Having a company-wide and prescient strategy to tackle cybersecurity threats is part of your evolving role.
Security awareness training helps to create this environment of knowledge about what cybersecurity is all about. As Head of Information Security for your company, you can set the wheels in motion to create a security awareness training program. In this facilitation role, you will need to communicate to your C-Level and board the benefits of having such a program in place – benefits such as:
- Security awareness for all: The entire company can act as your soldiers, guarding against attacks. But they need to be trained on what those attacks look like. Security awareness training allows you to align staff behaviour with the security strategy that yourself and your team have devised. In fact, it can be seen as a vital extension of your security policies.
- Cutting through the noise: Employees have a lot of incoming messages, calls, emails, documents to read, work to do. The modern workplace is a noisy place to be in. Focused security awareness training, that builds in gamification, helps encourage positive learning outcomes. This can cut the noise to allow users to see a cyber threat more clearly. A successful security awareness training program will also be highly tailorable to individuals and workgroups – making it more effective.
- Measures of success: One of the hardest jobs you will have is to convince your C-Level team and board that implementing security awareness training is worth it. Security awareness training programs should always have ways to measure the success of the training. The programs do not set out to create security experts but instead change behaviour. Programs should give you metrics to demonstrate that your staff behaviour is changing in a positive way and that they are continuing to retain that behaviour over time. For example, you should be able to check on employees who spot phishing emails or who have good computer hygiene habits.
- Accountability and beyond: The Head of Information Security sits in a pivotal position in terms of securing an organisation. This pivot has a dual purpose – on the one hand, you need to address the technical aspects of cyber threats with the tools of the trade. On the other, you have to tackle the use of human-factors that cybercriminals use so well, e.g. phishing and surveillance methods. You have to convince the board that your department needs budget whilst you have to convince employees that they are part of a wider problem and need to be trained. Adding a layer of accountability with measurable outcomes will help to establish your need and give you a backdrop for when a security incident does occur.
The godfather of cybersecurity, Bruce Schneier in his treatise on “The Security Mindset”,says that understanding cybersecurity is about teaching a mindset until it becomes second nature. As a security professional you will have the security Mindset Schneier was talking about. But to tackle such a massive problem as the modern cybersecurity threat landscape you need to instil some of that nature into your wider employee base. Security awareness training allows you to use a formalised training program to do just that. You can then sleep at night, knowing you are doing your utmost to ensure a safe organisation.