Does cybersecurity utopia really exist?
You’re the CTO of a successful hedge fund. You’re not big enough to have a dedicated CISO but you think you’re doing a pretty good job of securing your network. Your applications and databases are secure, you’ve just invested in a network intrusion detection system and some next generation firewalls. Next, you move on to your internet traffic and cloud services. You make sure your firm’s SSL certificates are up to date, and you use HTTPS and OAuth2.0. Then you insist all remote users access the network via secure VPN, that files are encrypted and that you have a comprehensive mobile security strategy in place. You have invested significant time and money into this multi-layered security portfolio because you know the value of your data, your firm can’t afford any disruption to trading or service, and you know you could face a hefty fine if the regulators find out about a cybersecurity breach.
All that effort, all that budget, can be rendered entirely useless if your employees are not trained to spot and avoid cyberattacks.
2017’s “The Global State of Information Security Survey” reported that 38% of respondents had experienced phishing scams, making it the top cybersecurity threat. In addition, 28% of respondents reported security compromises of mobile devices.
Even more worrying, Wombat Security Technologies recently published the results of an international cybersecurity awareness survey in their 2017 User Risk Report. When questioned, only 40% of respondents knew what ransomware was. 58% of respondents in the UK gave the wrong answer or could not even hazard a guess at what ransomware was. When asked if they had ever fallen for a phishing attack, over 30% said yes, and 15% didn’t know.
Now imagine there was a unique cyber awareness training program, which used mock attacks and simulated email, voice and SMS phishing attacks in order to highlight risks and employee weaknesses.
What if there was a simulated phishing platform, which used personalized landing pages, attachments and spoof domains in sophisticated trial attacks, both pre and post training for benchmarking and to indicate progress? A way of firms being able to identify potential users who may be more susceptible to attack than others. A way of giving immediate feedback to users who do click on a link or open an attachment, with a copy of the email, highlighting all the red flags to reinforce the training they have had.
The training program that employees get could be engaging enough to be effective, making sure that users are aware of the mechanisms of spam, spear phishing, malware and social engineering. It could cover PCI compliance, the basics of credit card security, how to handle sensitive information and how to secure non-public personal information. It could include lessons on how to create strong passwords, tips on safe web browsing, best practice for social media use and the dangers of unidentified USB devices. It could be so good, so interesting, that your employees actually told their friends and family what they had learnt.
Wouldn’t that be great? Talk to us today to see if this utopia really does exist.