Ransomware is a type of malicious code used essentially to hold data ransom. The cybercriminal typically contacts the victim to let them know about the attack and demands payment in return for the data. It’s spread through email attachments, infected apps or devices, or compromised websites. In this case, it was spread through corporate networks using Microsoft Windows, but the cybercriminals have not yet contacted the victims, leading some experts to speculate that it’s not ransomware but cyber-espionage.
Regardless of the intent, this cyberattack highlights the need for cybersecurity awareness training at all levels of an organization. Dave Buster, global senior product director for cybersecurity at Global Knowledge, says that the attack used vulnerabilities that came from stolen NSA materials. However, the NSA notified Microsoft of the breach, and Microsoft released patches for users in March. The attack reinforces the need to make sure employees are aware of problems, keep their computers up to date with security patches, and don’t click on “unexpected attachments to emails … unusual links,” and other suspicious content.
Over the last few years, Buster says, cybercriminals “have figured out that the humans are the weakest part of the system” and moved from electronic hacks to social engineering, in which they contact people and convince them to hand over secure information. The best way to prevent social engineering attacks? Training.
Who Needs Cybersecurity Training?
Everyone, says Carol Leaman, CEO of Axonify, which partners with eSentire to deliver cybersecurity content on its employee knowledge platform. Cybercriminals “look for vulnerabilities, but they can be anywhere in the organization.” That said, the finance department should be well trained to identify phishing emails, which often pretend to be the CEO asking for a money transfer.
Buster agrees, saying finance professionals are the first group to train, followed by the legal department and “anyone who deals with the general public.” When most of us think of phishing emails, he says, we think of more obvious emails from foreign princes asking for our bank account information so they can give us $2 million. What’s more likely, though, is a much more believable email thanking us for shopping at a grocery store and offering a $25 gift card to Starbucks. “Most people would click on that.”
In the IT department, Buster says that “it’s no longer sufficient to have one or two people” who are trained in cybersecurity. Everyone needs an introduction to the topic. The cybersecurity experts need ongoing training, since “the half-life of what they learned could only be 12 or 18 months.” The model he recommends is awareness training for all employees, reinforced on a regular basis; introductory training for all IT staff; and continuous training for cybersecurity professionals.
Using Technology to Deliver Targeted Training Quickly
Because cybersecurity does change so quickly, and because of the varying levels of awareness in an organization, Leaman says it’s important to have a platform “that gets information in front of employees every single day and … is agile enough to change as the landscape of cybersecurity changes.” Adaptive learning can ensure employees get the information they need, based on what they already know, and many platforms can also use assessments to make sure they’re retaining the information. Both Leaman and Buster recommend self-paced microlearning on the job to deliver short bursts of content online.
That self-paced, digital format is especially critical for cybersecurity professionals, Buster says, who often prefer to stay at their organizations rather than leaving them “exposed for a week while they … do training someplace else.” And using online modules means that as content changes, it’s easier for training managers to update it.
Using technology, according to Sprickerhoff, founder and chief security strategist of eSentire, and “delivering small chunks of training several times per week, querying employees on their knowledge repeatedly over time, and allowing them to play games while they learn,” can also boost engagement and retention.
Cybersecurity, Leaman says, is “one of those areas of knowledge that requires constant vigilance and constant communication.” One-and-done emails, which are often organizations’ only recourse, are no longer sufficient. Whether companies are sourcing content from external providers or developing it internally using their own subject matter experts, delivering it quickly and efficiently is critical. Fortunately, with the increasing popularity of online adaptive learning platforms, it’s becoming easier to do so.