Organizations globally are spending billions on cybersecurity to prevent hackers from getting access to critical data. Be it investments in scaling security teams, buying the right tools and platforms or ensuring the right policies are in place. But the most crucial link is still not treated with utmost priority -- people.
According to the 2019 Verizon Data Breach Investigations Report, 34% of data breaches in 2018 involved internal actors.
Let us take an example of Snapchat. It fell prey to an insider attack in late February 2016. According to the Washington Post, a social engineer with criminal intent posed as CEO Evan Spiegel and sent an email to someone in the social network's payroll department. As a result, the personal protected info (PPI) of some 700 employees was released. Later, Snapchat published a company blog post apologizing for the breach and taking appropriate action with the FBI and other investigative bodies.
One would have thought that the industry would have moved forward four years down the line, but that is far from true.
The pandemic has pushed businesses into a corner, grappling with business losses. Another major concern has been the significant rise in cyberattacks as employees work from home during the lockdown. Starting from phishing attempts, to social engineering cases to attacks on home networks, hackers are leaving no stone unturned. And, as businesses are forced to let employees work from home, the real test of cybersecurity knowledge has just begun.
The game changer
As employees adapt to the new normal of working from home, there have been a slew of attacks aimed at exploiting their lack of knowledge. According to data from Barracuda Networks, phishing attempts have increased 600% since February. Organizations globally are conducting regular cybersecurity training with their employees and educating them about the ongoing cyberattacks, and sharing best practices to be secure.
I have taken dozens of cybersecurity webinars during the lockdown period, but the real question is -- is it enough?
Long gone are the days when knowing about password management was enough to stay secure.
In the era of videoconferencing, third party email applications, using VPN to access information, cybersecurity training needs to be much more holistic, objective, real-time and quantifiable.
We have seen increased interest from businesses post lockdown to make cybersecurity training a regular part of an employee’s job rather than being a one time audit. Businesses are adopting cybersecurity platforms which are mobile, gamified, always available and provide a distinctive and objective measure of the employee’s cybersecurity awareness.
A CISO of a leading bank had once told me -- if there is a way to measure people's awareness on cybersecurity, it will change the way businesses invest and manage cybersecurity which will be far more effective.
Gamification will become the new norm
How many times have you been attentive on a training session, done through a PowerPoint presentation or clicked through a tired e-learning course only to realize, despite hours of ‘teaching,’ you remember nothing? Gamification is not just about games, it is a mechanism to increase engagement using gaming techniques and mechanics, such as a reward or competition. A study by McAfee found 96% of organizations that hold such events report tangible benefits.
Not only does gamifying increase interaction, but also makes the content more easy to digest. After all, cybersecurity is not a topic easily understood and this process makes it simple, intuitive and provides a quantifiable result which decision makers can use to make informed business decisions.
Gamification in cybersecurity will also bring about a big change -- auditing behaviour rather than knowledge. Having knowledge about cybersecurity need not necessarily mean that you are secure, and gamification will lead to analysis of reaction and of users rather than analysing just knowledge.
While coronavirus has taken the globe by storm, there definitely has been a much needed shift in organizations’ approach to cybersecurity and this will change the way not only cybersecurity training is conducted in the future, but also the entire industry of cyber.
“The Chinese use two brush strokes to write the word 'crisis.' One brush stroke stands for danger; the other for opportunity. In a crisis, be aware of the danger -- but recognize the opportunity.” -- John F Kennedy.
Rahul Tyagi is co-founder and vice president of Lucideus. The views in this article are his own.