A critical part of improving a business’ cyber resilience is ensuring staff, including the executives and the board of directors, are all champions of promoting and driving awareness when it comes to cybersecurity.
Many company do have this understanding, and one way to measure the importance organizations are placing on cybersecurity is by expenditures. Gartner in May 2021 it expected that about $150.4 billion would be spent on security in 2021, a 12.4% increase from 2020, with security awareness education and phishing defense being a focus for many organizations.
It is quite understandable that spending is at this level when one considers that the average downtime a company experiences following a ransomware attack is 21 days, and the average cost to recover from such an attack is estimated at $2 million. The money spent on prevention will be repaid if an attack is prevented.
A company with better cybersecurity awareness and education has an improved chance of defending itself or in a worst-case scenario properly reacting to a cyberattack. This level of preparation includes embedding security across the business and aligning security to business objectives and strategies. This will help the company respond quickly to threats and continue to operate and recover during or post-attack.
Implementing a level of cyber resilience from top to bottom in an organization will ensure a shift in the security culture by enabling all personnel to help keep their organization secure.
This is particularly true when it comes to dealing with some of the more common dangers, such as phishing campaigns. The vast majority of successful cyberattacks start with a phishing email. Employees must learn to treat every email as potentially dangerous, making sure links and attachments are legitimate before clicking one.
But phishing is just one threat.
Another emerging problem organizations must prepare for through education and training is ransomware, and specifically when that malware involves a Ransomware as a Service (RaaS) operation.
RaaS is the sale or lease of ransomware malware by its developers. Making the malware available “off the shelf” allows less technically capable criminal organizations to launch sophisticated attacks. RaaS is worrisome as it broadens the potential pool of threat actors to anyone with the funding and desire to launch such an attack.
However, while training is a necessity, an organization must be careful how a regimen is implemented.
One issue that arises when training is increased and emphasized is employee training fatigue. The ever-increasing level of mandatory training and awareness delivered to staff covering corporate, legal, and regulatory topics can lead to this very important education being seen as nothing more than a tick-in-the-box exercise and drain employee interest to fully participate and engage with the subject.
To tackle this challenge, organizations must deliver training that is engaging, authentic, and tailored to that organization.
One way to help retain worker interest is to conduct a crisis simulation. Such activities give participants invaluable experience of reacting during a realistic simulation and enable them to collaborate and hone their skills in a safe and controlled environment.
Trustwave often facilitates Cyber Security Crisis Simulation Exercises. For each simulation workshop, the following considerations are made:
- Work collaboratively with the client to understand the drivers and their objectives
- Identify if the client requires a ‘standard’ simulation workshop or a fully bespoke workshop
- Customize the workshop material to client requirements based on a number of ’injects’ (an ‘inject’ is akin to an ‘event’) escalating narrative.
- Each narrative typically starts with a technical-orientated issue and builds to a full-blown operational crisis.
- We bring workshops to life by using a series of interactive injects, briefings, and videos.
- Workshop members are grouped into teams to discuss a solution after each inject. They then conduct a presentation after each inject, offering their thoughts to the wider group for discussion.
- Also, after each inject, workshop members will discuss what they could/should do at each stage.
- The event, which usually lasts about four hours, concludes with the staff reinforcing the actions taken and covering the lessons learned.
- Finally, the participants create an executive report on findings, data, observations, and recommendations.