Improving Cybersecurity Awareness Through Hacking

Improving Cybersecurity Awareness Through Hacking
Author: Kris Martel, CISM, CGEIT, CRISC, CISSP, C|EH, Chief Information Security Officer at Emagine IT
Date Published: 26 August 2019

Cybersecurity awareness is a topic that most organizations and leaders know is important, but is typically treated as a check box requirement to remain compliant with regulations or mandates placed on the enterprise. Most leaders will argue that cybersecurity awareness training is very important but only marginally effective.

To be honest, how effective is most cybersecurity awareness training? The standard requirement that each individual complete mandatory training every year looks good on paper, but doesn’t provide the needed impact in order to make a difference and increase the security awareness of the users in an organization. For example, most people who are required to go through annual security awareness training for the US Department of Defense likely have half of the answers memorized for the mandatory computer-based training. In fact, many people let the videos play while they do other work and then simply bounce back to the training when it is time to answer questions and advance to the next section.

Enterprises can’t expect that providing training when an employee is hired and refresher courses once a year will arm the employees with the knowledge and understanding to not fall prey to cybercriminal attacks. In fact, the cybercriminals have all seen the required security awareness training modules and have a blueprint of what “not” to do. Cybercriminals are always looking for new ways to infiltrate and attack organizations. So why not think like the enemy and create a cybersecurity awareness training program that resembles what the real cybercriminals will do?

Everything from the marketing of the cybersecurity awareness program to the actual training itself needs to be rebranded, constantly updated and customized to the target audience. Cybersecurity awareness training needs to change and adapt as quickly as the cybercriminals change their attack methods. This means continual training based on the latest trends and attack vectors that are constantly evolving. The most important attribute of a successful cybersecurity awareness program is the effectiveness of the training. To drive up effectiveness, the training must be relevant and retain the attention of participants.

What better way to engage your employees than to include them as part of the actual training program and its activities? Make the training interactive and personal. Show them how a hacker will attempt to steal their identity, include them in a phishing campaign and entice them with [fake] confidential information through trojans or malicious software.

Consumers of cybersecurity awareness training want to learn how it is applicable. They want to know how to lock down privacy on Facebook and other social media applications, or how their Home Depot credit card information is easily obtained on the dark web, or what personally identifiable information (PII) of theirs is circulating the dark web. A majority of end users find hacking fascinating, and they want to learn more about it and how it could impact them. Utilize the curiosity as a training mechanism. Branding your cyber awareness training as a monthly opportunity to hack your coworker and then showing them how the cyber criminals are “hacking” the user will increase awareness and strengthen cybersecurity practices.

I will be presenting more on hacking your coworker to improve cybersecurity awareness at the Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City. I look forward to walking through specific examples and results of the hacking your coworker training across several organizations.