Traditional cybersecurity awareness training leaves companies vulnerable to social engineering attacks, according to cyberconIQ.
The software company adds that minimising the risk of people causing a breach requires a change in culture.
LastPass, a company responsible for password management software, recently suffered a cyber attack that compromised the security of more than 30 million individuals.
Previously, messaging company Twilio suffered a breach that put more than 75 million users’ data at risk.
Before that, food delivery service, DoorDash, was also the victim of a breach that exposed the personal information of its 4.9 million customers.
But cyberconIQ, a firm that provides behaviour-based cybersecurity training, points out that these breaches all have one thing in common: avoidable human action.
Nearly USD $2 billion was spent on cyber awareness training in 2022, with the goal of significantly reducing the number of breaches that rely on a human factor, also known as accidental insiders.
However, Verizon’s 2022 Data Breach Security Report found that 82% of successful cyber attacks continue to include a human element.
As a result, generic security awareness training programs are becoming less popular, with many organisations looking into behavioural-based training approaches to develop a workplace culture with greater resiliency and awareness.
“Most awareness training options available today were developed about ten years ago with a focus on compliance,” explains Doug Glair, Director of Cybersecurity at global technology research and advisory firm, ISG.
“They just don’t get to the root of the problem. We need to be concentrating on shifting the way people behave and that starts with changing the culture.”
Security awareness training is broken
The main issue is that the cybersecurity industry has long been focused on technology to solve its challenges. But the tide is turning, according to cyberconIQ.
“Until a few years ago, the fear of cybersecurity was addressed by backing up a dump truck full of cash to buy the latest and greatest technology,” Glair says.
However, although there has been an increased spend, the number of breaches and the cost associated with them continues to grow.
In fact, the FBI’s latest Internet Crime Report finds that cyber-related complaints have grown more than 180% in the last five years, which has resulted in USD $18.7 billion in losses.
“While funding is still needed, what we know now is that technology is only part of the solution, you also need resilient processes and a cybersecurity aware culture,” Glair adds.
“CISOs and cyber executives need to be looking to redirect some of their spend to awareness training programs that can provide an ROI.”
cyberconIQ notes that because 82% of successful cybersecurity attacks involve the human element, it is a 100% statistical probability that every employee will eventually come up against some form of threat and will need to properly identify it as well as know how best to act upon it.
Missy Lawrence, a Principal Consultant with ISG who focuses on applying neuroscience to technology challenges, sees psychology as the key to unlocking the potential of cyber awareness training.
Lawrence believes that people have to be seen as part of the solution and not part of the problem.
“You can’t change cultures until you change behaviours, and you can’t change behaviours unless you understand how people think,” Lawrence says.
Addressing the human factor
Lawrence says it’s natural for technologists to focus on their domain competency and to view human psychology as an afterthought.
However, that oversight allows cybercriminals to thrive because they use the dynamics of human behaviour to their advantage.
“Cybersecurity professionals don’t know what makes the average person susceptible to cyberthreats,” Lawrence says.
“Cybercriminals hope to reach people when they are stressed or emotional because it clouds their judgement.”
This phenomenon, which Lawrence describes as an “amygdala hijack,” explains why phishing is such a successful attack vector.
The amygdala is the part of the human brain responsible for the “flight or fight” response and makes people react to events without thinking.
“Imagine that your brain is like a fist, where your fingers cover your thumb,” Lawrence explains.
“The amygdala is the thumb, and you can’t move it. However, if you’re juggling multiple tasks or dealing with strong emotions, it’s the equivalent of lifting a finger or two.
“When all the fingers are up, the amygdala is free to operate, and that’s when we make poor decisions that can lead to security breaches.”
Social engineering tactics work because they use personalised content to target specific personality profiles, according to cyberconIQ.
It says this can be thought of in much the same way as Netflix or YouTube tailoring suggestions based on viewers’ past behaviours and preferences.
“Successful cybercriminals present content that speaks in a voice and using a style that resonates with a victim’s personality,” says Dr James Norrie, CEO of cyberconIQ.
“We’re interested in what triggers someone to be vulnerable in the moment.”
cyberconIQ is based in York, Pennsylvania, and is responsible for pioneering the merge of psychology and technology to measure and manage cybersecurity risk.
It says that understanding individual behavioural traits allows organisations to provide personalised training that helps employees understand themselves and allows them to react better in situations that could cause a breach.
“Every style is vulnerable,” Norrie says.
“We use a personalised curriculum to help people understand how they can become vulnerable and teach them how to protect themselves and their company.”
Having a personalised approach has been incredibly successful, even in sophisticated business environments.
Before ISG began using behavioural-based cyber-training programs for their clients, who are often large, multinational enterprises, the company decided to run themselves through the training first.
“We are a very technology-savvy company, and we still saw a 40% reduction in vulnerable behaviour after taking the personalised, personality-based training,” Glair notes.
“So even for us, we were able to see an ROI.”
Cyber aware and ready
According to Glair, a company will never be able to train every person to spot every threat. That comes down to the sheer volume of novel threats being created.
In fact, in the first half of 2022, SonicWall detected 270,228 never-before-seen malware variants. That’s an average of 1,500 new variants per day.
However, new personalised training that combines machine learning and behavioural science can teach people to see the patterns or architecture commonly part of a threat.
Just as important, it changes the way people respond to a threat.
“I call it cyber-intuition. It needs to be second nature, just like our instincts,” Lawrence says.
“It requires humans to know themselves and understand their threat styles.”
Glair and Lawrence say that companies are likely to continue to see breaches caused by human errors escalate in number and cost until executives view cybersecurity as a business problem, not just an IT problem.
They have concluded that by making investments in behavioural-based cybersecurity training, companies are more likely to build a security-aware and ready culture. Thus, creating a tipping point for progress in the battle against security breaches.