“Everyone in any organisation has a role to play in the cyber security planning and implementation for that organisation, so cyber security training has to be part of the security framework the organisation creates.”
CyberAwake
The question at the top of the page is a valid question for any business. Any extra expense on a business in the current economic climate, should be questioned and the decision to spend be based on the benefits to the business.
You will tell me that you implement strong passwords, buy an anti-virus solution, use multi-factor authentication on your most important accounts, have a backup you keep off site on a portable hard drive and even from time to time look at the National Cyber Security Centre website. “Isn’t that enough for any business?”.
Now as we are selling the training, you would expect me to say “just buy it”, “you need it” – and of course, you pay up – but no let’s look at the case for “Everyone in any organisation has a role to play in cyber security planning”.
A few words about the threat landscape
A quick look at the news feed here at CyberAwake (Cyber security news | Cyber Awake Team Training), will quickly show you that cyber security is rarely out of the mainstream news. Whether it is a ransomware attack at a major company, spyware infecting politicians, or simple data loss by a careless employee with no threat actors involved. The examples linked to here, were, at the time of writing, taken from last week’s news stories! Cyber security is a problem that every business or organisation, large or small, must face and must plan for.
But you say, “I am not a major company, why would threat actors target me?”.
Well the first thing is that one of the examples above was just “business stupidity”, allowing an employee to download unencrypted data to a memory stick – probably the most “lost” bit of technology after UK government laptops in taxis. My first questions in investigating an incident such as this is:
- Can I see the policies and procedures relating to transferring company information and the use of USB memory devices?
- Can I see the training schedule for staff that relates to these policies?
If, for your information security, you rely simply on staff signing that they have read and understood the policies, rather than implementing effective cyber security training, then you can see why unencrypted data is lost.
The next point is that the sending of links to malicious software and websites is primarily indiscriminate – anyone could receive one of these phishing emails. In Q2 of 2021, 42% of ransomware malware was delivered by phishing, exploiting the user’s trust with social engineering techniques (Kshetri and Voas. 2022). The big companies make the headlines when they get infected with malware, the small companies don’t make the news but still lose a lot of money as a result of the attack.
Paying the ransom is not a viable option, as this often leads to subsequent attacks, as the threat actors know you are not prepared for an attack and are willing to pay (Cybereason. 2022). Remember ransomware has moved on from a nuisance cottage industry, to ransomware operations (ransomware ops), where international gangs operate in a business-like fashion, seeking targets of opportunity as well as the big fish targets (Kshetri and Voas. 2022) and (Cybereason. 2022).
“I have bought a business standard anti-virus package which everyone uses”
It is the nature of cyber security that we are often catching up with the actions of the threat actors.
This statement in above is very true of software and anti-virus vendors, who may discover a vulnerability in their systems only after the threat actors have started to exploit it. So there is often a gap – referred to as a zero-day threat – between the vulnerability being discovered and exploited and the patches and anti-virus updates reaching us, the users (Bilge and Dumitraş. 2012) – this means your business or organisation is at risk during that gap. The anti-virus package can only protect your organisation if it knows about the malware (fig.1).
fig.1 ESET anti-virus removes a known threat from a phishing email in Outlook
(Why did I include the above screenshot? This phishing email, complete with malware came into my Outlook whilst I was writing this article – the threat is real.)
It is during a zero-day vulnerability period that the ability of your team to spot malicious emails and attachments, and know how to deal with them, is vital to support your technical defences. But of course you, your team and the software vendors do not know when the periods of vulnerability are, only the people who discover the vulnerabilities know. If it is threat actors they can start to exploit them, if it is the software vendors they are in a race to fix things before the threat actors get involved – you, your business and team are in the middle.
And so to training…
Without effective training of all your team, your organisation could become a target of opportunity for the threat actors.
Ask yourself; does your team know:
- The social engineering techniques used in potential phishing emails?
- What a business email compromise attack is?
- How social media aids threat actors?
- The importance of using unique strong passwords and MFA?
- What to do if they do click on a link or visit a malicious website?
- Do they understand the importance of you not running a “blame culture” at your organisation?
- Do you understand why a “blame culture” is the threat actor’s “best friend”?
- Have you thought about the “insider threat”?
If you regularly run exercises and training across your whole team, covering these points then you are right, our training is not for you. If you do not, then we have the training programme for you – which includes:
- Your team working at their own pace
- Quizzes and tests along the way to reinforce the learning
- Certificates for your team and training reports for you
- We can even include a “training phishing campaign” to test their readiness
Conclusion
I write my cyber security blog (nearly) every day after researching the latest threats and I can see that the cyber security threat landscape for businesses and organisations is something that we all need to be taking action about. The threats are constantly changing as are the targets. We have to be prepared and I consider our flexible cyber security training is a positive step in improving everyone’s cyber security.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
AMD hit by alleged ransomware attack
Why we do not recommend USB memory sticks as data storage for our clients
Don’t lose that laptop – but if you do… #BeCyberSmart
Cybereason. (2022). Report: Ransomware Attacks and the True Cost to Business 2022. Retrieved July 1, 2022, from https://www.cybereason.com/blog/report-ransomware-attacks-and-the-true-cost-to-business-2022
Kshetri, N., & Voas, J. (2022). Ransomware as a Business (RaaB). IT Professional, 24(02), 83-87.
Bilge, L., & Dumitraş, T. (2012, October). Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 833-844).
Actively exploited zero-day flaw in Google Chrome now patched – is yours? Could you check?
Cyber security news | Cyber Awake Team Training
CyberAwake’s first cyber security article
This is my first of many, blog posts for CyberAwake – the plan is to usually publish a new article every Tuesday and Thursday, but of course business, holidays and life will mess around with that schedule!
Here is my bio, that will always be available in future bylines:
Clive is the cyber security consultant for CyberAwake. He recently graduated from Edinburgh Napier University with an MSc in Advanced Computer Security and Digital Forensics – this course is certified by the Nation Cyber Security Centre. His dissertation was on data privacy and classification in small businesses using Microsoft 365 for Business.
The degree is not the end of the studying – to keep current Clive spends some of his time at work simply reading and studying the latest technology trends and threats so our clients can benefit from this knowledge. This knowledge he shares, daily, at Smart Thinking Soltutions, the place for your cyber security news. Although the news blog is not all doom and gloom, have a look at the “Because It’s Friday” blog posts for a bit of fun!
To make full use of Clive’s Master’s degree in cybersecurity, he has a joint venture with an international research company to get access for our clients to up to date information, schemas, analytics, templates, actionable tools and guidance. Whatever the size of your organisation if you are not approaching IT, cybersecurity and information privacy in a way that supports and benefits you, they can help, from the boardroom to the shop floor.
Clive is the CISO at Octagon Technology, with special responsibility for data privacy and cybersecurity. Clive, with his wife and partner Diana, set the company up over 27 years ago to deliver the best IT support possible to small businesses.
His personal blog can be found at Clives Blog, where he has posted “a photo a day”, since 1 January 2012, other photos and talks about photography, walking, camping, technology and other stuff he likes.
CSC – Lincoln, July 2022