- Last year, businesses and government agencies experienced a spike in cyberattacks.
Security technology has advanced, but cybercriminals still exploit a big weakness: people.- Two experts tell Insider how organizations can educate the workforce and protect against attacks.
- The conversation was part of Insider's virtual event "
Cybersecurity Trends: Prepare For A More Secure Future," presented by Cisco, which took place on Thursday, May 12, 2022.
2021 was a good year for cybercriminals.
A record 66% of organizations were hit by ransomware attacks in 2021, up 78% from 2020, according to a report by tech security firm Sophos. Criminals holding computer systems hostage via ransomware can lead to loss of data and reputational harm.
Despite innovations in security, this paints a grim picture for private companies and government organizations.
Unknowing employees remain the weakest link and easiest target for cybercriminals, according to Steven Hernandez, chief information security officer at the US Department of Education, who spoke at the cybersecurity panel on Thursday called "Cybersecurity Trends: Prepare For A More Secure Future," presented by Cisco. The solution isn't simply to add more training to help skill up employees on security practices, but to build a culture of awareness rooted in creativity, sensitivity, and engagement, he said.
"Frankly, the human has become the softest, easiest target in the equation for our attacker to go after," Hernandez said.
Creating a culture of awareness means having more honest and open conversations with staff that keep them on alert. Prevention starts with employee education and the best person to spearhead that effort is someone who's excited about the cause, Jon Brickey, senior VP at Mastercard, said at the panel.
"You really need to identify somebody who's creative and engaging and likes to do this kind of thing," Brickey said. "You have to make it engaging."
This can take many different forms, like leading efforts on creating speaker series on cybersecurity and presenting on types of threat, according to Brickey. At Mastercard, the security department created online escape rooms and modules presented in virtual reality to encourage robust year-round engagement.
When deciding how to keep employees engaged, the cybersecurity department can get inspiration from reality. The Department of Education recycles and repackages actual attacks in hopes of educating staff on what cybercriminal attempts look like, Hernandez said.
But employee engagement has its limits. By impersonating cybercriminals and recreating their attempts to deceive employees into giving up personal information, known as
Recreating some of the schemes that play on employees' emotions, like pretending to be a family member, can cause employees to disengage altogether. That could set back a cybersecurity program by weeks or months, Hernandez said.
Cybersecurity leadership should also be respectful around the timing of the trainings and evaluations to be sure it doesn't coincide with performance reviews or annual bonuses, according to Brickey.
"We don't want to create friction where it's not needed," Brickey said.
Communicating with leadership across the organization can help gauge how employees will respond to the tests, according to Hernandez. And employees should have the capability to test out certain modules to build goodwill and confidence among the workforce, he said.
Removing barriers to cyber secure behavior is also important for the security department to prioritize, Hernandez said. For example, the Department of Education built a tool into its email server that allows staff to submit a suspicious email directly to the security team to remove any obstacles to reporting.
Hernandez also urges building positive relationships between security departments and employees by calling employees and recognizing them when they've done well in training.
But critically, companies need to realize that there isn't a one-size-fits-all approach to working with employees to better educate them. Threat actors vary depending on the business and industry, according to Hernandez.
"There will always be a human element to this," Hernandez said. "As long as there's a human in the mix, they can always be targeted."