Most companies have implemented some level of Cybersecurity, which in many cases focuses mainly on technology and restrictions. Educating users and even customers on Cybersecurity and related risks remains undervalued when it comes to creating and implementing a Cybersecurity policy. Education in the field of Cybersecurity is not so much about the technical ins-and-outs of technology. Education in Cybersecurity should mainly focus on explaining WHY Cybersecurity is so important and WHY each and every user can make a significant difference, good or bad!
Ask security professionals about the effectiveness of security awareness training, and you’re bound to get a wide range of answers. But regardless of the state of your company’s training program, keeping your employees educated about cybersecurity is an absolute must given the volatility and sophistication of today’s threat landscape. – Mark Stone in How Effective Is Security Awareness Training for Threat Prevention?
The consequences of not educating users and customers are not only seen in news about yet another Cyber Attack on a company or organization, I also experience this during the workshops Cybersecurity for Road Warriors and Couch Potatoes in which I focus on generating awareness of Cybersecurity and Risks. Without exception, at least one person in the audience will say “I thought our IT Department had to take care of that” and when I raise the question “Who agrees with that?” the average agreement is well over 50% of the participants. Of course IT Departments are responsible for implementing technical means to protect the organization but Cybersecurity goes way beyond having a proper virus scanner and secured connections.
Cybersecurity is not just an IT task
To make my point, I always refer to car manufacturers. Modern cars are filled with technology to make our driving experience as safe as possible. Even in case things go really wrong, airbags and safety belts will protect us as much as possible. Nevertheless, the driver of each and every car is responsible for driving safe and not putting other people at risk. When we do 70 in a 30 zone and are not able to avoid a collision, will we argue that the car manufacturer should have prohibited us from doing 70 in a 30 zone? And on the other hand, would we not exceed 30 when we know that there is a school nearby and many children are crossing the street there, or will we only restrict ourselves to the speed limit when we know the police is present?
The biggest problem with believing that the IT-Department is solely responsible for Cybersecurity is that the users and customers no longer feel responsible themselves. “If this attachment is unsafe, the IT-Department should have blocked it” is just as dangerous as stating “If driving 70 in a 30 zone is dangerous, the car manufacturer should have prohibited it”. And it is also just as dangerous to solely implement restrictions without explaining why these are needed, without educating that these restrictions are a safety measure and don’t mean that the driver can safely drive against the traffic as long as the speed limit is not exceeded.
In the case of the street with crossing school kids, the message should be “please drive slowly and keep an eye open for school children crossing here”. We learn that important message in driving school and traffic signs remind us of that message, of the responsibility we all have as soon as we join traffic in a car, on a bike or even as pedestrian. User and customer education in Cybersecurity and Risks should deliver the same message. Use technology for your advantage and keep an eye open for the risks. Act responsible and don’t rely on others to take over your own responsibility. Don’t do 70 in a 30 zone!
An unfair fight?
What makes the challenge more delicate, and in all honesty renders my very own example of traffic rules to explain the importance of education and accepting one’s own responsibility rather useless is the pace in which new cyber threats are created and discovered. Where traffic rules very rarely change and in those cases that they do change, most governments invest a lot of effort and budgets in preparing the citizens for the new rules long before they become into effect, new cyber threats are created at a staggering pace and the velocity keeps increasing. None of what was enough to know a few years ago will provide the average user with adequate information to contribute to Cybersecurity today, let alone in the future. Chances are that several state-of-the-art cyber threats were discovered while preparing this article and several more where uncovered while you were reading this article. In all this, we have to keep in mind that the real threat is not just that the amount of new threats to which we are exposed keeps growing. The real threat is that the threats keep getting more sophisticated on a daily basis.
The cyber crime organizations behind those threats deploy artificial intelligence and machine learning to create self modifying malware and stealthy technology to stay undetected. The complexity of Cybersecurity threats is best described by the fact that a growing amount of treats and exploits get detected after being out in the field for several months! Despite these developments, many companies still rely on outdated Infosec policies and just as much outdated general short cyber security training sessions during boarding of new employees. This can and never will be sufficient to deploy an adequate Cybersecurity policy and defense, especially not with the rapidly increasing amount and intelligence of the threats.
A very promising approach is the ongoing research in the field of Systems Thinking for Cybersecurity Education by Ludmila Morozova-Buss, in which focus is put on a rational system thinking approach of education. This research makes crystal clear that education must be interdisciplinary and truly systematic in a day and age in which developments exceed the learning capabilities of every human being.
I advocate a Systems Thinking approach in educating our readers, followers, friends, business associates on digital transformation, emerging technologies and cybersecurity. After all, without education who would even bother to police the systems fit security or safety. Too often we assume others are not that bad and hope fit the best. Systems thinking forever changed the way I think about the world and approach issues. An open immeasurable non-linear system – the Cyber Space, where cyber threats and cybersecurity are two of many (to be defined) elements of this system. – Ludmila Morozova-Buss
With the The Charter of Trust, which is a truly unique and unprecedented initiative to protect critical (cyber) infrastructure, major players in the industry are joining forces to address Cybersecurity. “The Charter outlines ten principles to ensure companies and governments are taking action to address cybersecurity at the highest levels through a dedicated cybersecurity ministry in government and a chief information security officer at companies. It calls for mandatory, independent certification for critical infrastructure where lives are at risk, including in the oil and gas, and power generation and distribution industries, and digital applications across all aspects of IoT. It also affirms that as technologies become increasingly digital and connected, security and data privacy functions should be preconfigured and that cybersecurity regulations should be incorporated into free trade treaties. The Charter’s signatories are also looking for greater efforts to encourage cybersecurity in vocational training and in international initiatives.”
Cybersecurity is the most important security issue of our time. Siemens is working with key partners in industry, government and society to promote the Charter of Trust to make our digital world more secure. The transformational opportunities that exist for society and industry can only be realized if we all have confidence in, and can rely on the security of our data and connected systems. – Joe Kaeser, CEO, Siemens AG
Another approach is to use RED TEAM methods to establish what employees really understand about Cybersecurity and how to develop a strategy that keeps up with reality, as part of a strategy to use RED TEAM methods to establish the true readiness and weaknesses in the current Cybersecurity policies and execution. On the topic of RED TEAM, I can not see enough good things about the book Red Team: How to Succeed By Thinking Like the Enemy by Micah Zenko and I am convinced that this, besides developing a proper inclusive systems thinking culture, is the right way to get on top of the game. Unfortunately, the sobering reality show that we are miles if not light years away from that.
Sobering reality check
In my workshops, I had for example a consultant of an international corporation who was traveling even more than I used to do. Of course his company notebook was equipped with the latest greatest in anti-virus and malware protection, and connection through the corporate infrastructure was done through VPN. The consultant, an intelligent and systems savvy person, saw no risk in using public WIFI at hotels etc. during traveling, because he was convinced that the VPN connection encrypted everything. The consultant didn’t realize and was never made aware that the VPN encryption sits on top of the connection with the public (open) WIFI provider and encrypts the connection with the corporate infrastructure, nothing more and nothing less. During the coffee break “Big Mike”, the White Hat Hacker who joins me every-now-and-then on workshops, quickly demonstrated the risks of a wrong sense of security with the man-in-the-middle loop we had created on purpose on the freely available open WIFI connection in the conference room. The consultant responded by removing the battery from his company notebook…
It’s been said that systems thinking is one of the key management competencies for the 21st century. As our world becomes ever more tightly interwoven globally and as the pace of change continues to increase, we will all need to become increasingly “system-wise.” Paul Ferrillo, Of Counsel, Senior litigation, corporate & cyber crisis lawyer Weil Gotshal LLP
Touching the topic of email attachments and the most significant exploits to demonstrate the participants of our workshops how advanced some of these exploits are, the Head of Engineering of a large European electricity provider interrupted us rather upset. “Can you please repeat what you just said about PDF attachments? I have to transfer files back and forth within the company, with suppliers and with customers every single day. Our IT Department gave very explicit instructions that file transfer is only allowed as PDF attachment because these are perfectly safe”. During lunch, he pulled up a chair and it become very clear that he was still upset about what we showed him and we dove into a deep discussion about the risk of a false sense of safety. I made some common recommendations like considering bringing in some qualified experts for a security policy review and maybe even penetration testing. Apparently he didn’t get very far with this because they were later among the high profile victims of the WannaCry ransomware attack.
There was once an Executive Assistant, who was responsible for agendas and travel arrangements for 10 executives of an international corporation. In her own words “when they have a delay or need new arrangements, I have to act fast, I can’t keep them waiting for the next day”. To always have all data on hand, she had prepared a file with all required data for all executives, including copies of their passports and their credit card details. And to make sure she was always able to support them whenever needed, she forwarded this file to her private email address so she wouldn’t lose a second even if she was not at her company computer.
Did she have 2-way authentication on her private email account? She didn’t even know that existed. When was the last time she changed the password of her private email account? Never, she was still using the password she used when creating it many years ago. From where did she access her private email account? From everywhere, when there was a problem she had to act immediately. “Those people can get really nasty when things are not taken care of fast enough” so whenever needed and she wasn’t in the office, her private email account was her safety net. Nothing but good intentions and just trying to make things work, that is all she basically did without being aware of the risks. A few weeks after the workshop, she wrote a very kind email explaining how grateful she was for the eye-opening experience and the improvements she had been able to establish after that. Her boss provided her with an encrypted mobile phone and fancy tablet to always be able to support the team no matter where she was and after deleting all company data from her private account, she had also discovered that this 2-way authentication wasn’t that complicated after all.
Unfortunately, the sobering reality shows that we are miles if not light years away from that.
During the workshops, we used to do a demonstration of how much information can be collected about a person. Of course we always asked for a volunteer and so far we have never failed to find someone who says “I have nothing to hide”. The rules are very simple, we ask the volunteer to raise a hand and say STOP to immediately let us cease our search, cease showing the data we have found so far and delete everything we have found. After again asking the volunteer for permission to collect all data that we will be able to collect, a set of scripts and tools aggressively scans all known sources of data on that person and puts each item on a map. Within minutes, the map of collected data grows and more relations between data become visible. It makes the volunteers rather nervous when “I have nothing to hide” turns out to be a highly populated map of personal and professional details, and it always ended with volunteer shouting STOP several times to make sure we wouldn’t overhear it. We stopped doing these experiments after we accidentally revealed that the volunteer, who participated in our workshop with several colleagues and his line-manager, had regularly visited the headquarters of a competitor which was involved in a big stake legal battle with his employer. Maybe it wasn’t that smart that he had posted pictures of his lunch with the exact location of the restaurant at the competitor’s headquarter every time he visited there.
The list of examples where lack of awareness and education cause Cybersecurity risks is long, and I should also add my own mistakes and negative experiences from the past to that. In most cases it is a mixture of false sense of security and not being aware of one’s own responsibility for Cybersecurity that makes even the most advanced technical solutions fail. Let’s solve that by focusing on education!
- How Effective Is Security Awareness Training for Threat Prevention? by Mark Stone, published by IBM.
- Red Team: How to Succeed By Thinking Like the Enemy by Micah Zenko, Micah Zenko is an American political scientist. He is a Senior Fellow at the Council on Foreign Relations, and the author of two books.
- Charter of Trust, press release by Siemens AG
- Cyber Security for Road Warriors and Couch Potatoes and Workshop Cyber Security for Road Warriors and Couch Potatoes by Dr. ir Johannes Drooghaag