Like clockwork, this time of year brings a bevy of articles in the infosec community ruminating on what the new year will bring.
Most predictions I’ve read focus on the technical side of the equation. New ways for cybercriminals to launch malware, for example, or the bogeyman of the Internet of Thing (IoT) being used to gain access to home and office networks.
One forward-looking article, though, approached it differently. Attorney Michael Overly’s piece on CSO Online took a more proactive “resolutions to make” angle, touching on the importance of employee awareness training specifically: “In the coming year, think of quality, not quantity, of training.”
I couldn’t agree more with this sentiment. With this as inspiration, I’d like to look at some employee security and privacy awareness trends we expect this year.
Small-to-medium sized awareness
Owners and operators of small-to-medium sized businesses (SMB) should not be surprised that cybercriminals have them squarely in the crosshairs. According to the 2017 Verizon Data Breach Investigations Report, 61% of all cyberattacks target small business. SMBs handle sensitive client data no less valuable than that of larger companies, and often don’t have the dedicated resources to repel cyberattacks. Most often, this means little or no time spent on security and privacy awareness.
However, we expect the focus on repeated and engaging security and privacy awareness efforts to trickle down to the SMB space in 2018 as they realize their size does not make them immune to cyberattack. Stale, once-a-year training on these topics could prove costlier to SMB employees, who likely have more varied demands on their attention than employees at larger companies where roles may be more siloed. I speak from experience here, working for a company with fewer than 100 full-time employees. The responsibilities my colleagues regularly take on are myriad, requiring security and privacy awareness education that gets and keeps their attention.
Fortunately, SMBs are not alone in keeping their sensitive data out of the hands of bad guys. We’re glad to see nonprofit organizations such as the National Cyber Security Alliance (NCSA) take up the mantle in this space with their “Cyber Secure My Business” initiative, launched just this year (full disclosure: my company is a proud sponsor of this program). The initiative provides free resources, including webinars, infographics, and fact sheets, to educate SMB owners about the importance of sound cybersecurity posture.
Know more about what’s not known
If it’s the case that more and smaller businesses will take up the cause of educating employees about security and privacy, we hope it’s also the case that they will educate them about the real risks that they face. The era of throwing a one-size-fits-all training program at employees who are already stretched too thin will hopefully be coming to an end.
More and more, we expect to see cybersecurity educators using old tech (like simple assessments) and new tech (like machine-learning driven behavioral analytics) to identify precisely where employees are weak, and then to target short, meaningful training and communication directly to those users. It’s high time we got smarter about how we delivered training to end users, and this may well be the year that we see meaningful advances in this area.
The GDPR reckoning
May 25, 2018, has likely been circled on the calendars of data privacy professionals for years. On that date, the sweeping General Data Protection Regulation (GDPR) will come into effect and cement a variety of regulations any organization handling the data of EU citizens must abide by. These include new requirements for data collection and breach notifications, a mandatory Data Protection Officer (DPO), and privacy awareness training for employees handling data.
Even as the date approaches, near-weekly headlines continue to show most organizations may not be ready. A survey of 500 cybersecurity professionals in companies in the U.S. and Europe released just last week revealed that 57% of professionals are concerned about GDPR compliance.
This article is far from the first 2018 predictions piece to include mention of the GDPR, but we would like to offer a more positive spin. Rather than a stick, the GDPR should be thought of as a carrot that organizations can use to strive for a company-wide approach to data privacy. We see the GDPR as inspiring cultural shifts that will begin with training and communication initiatives that helps employees understand that the individual’s claim to their data takes precedence above all else.
Real GDPR compliance means privacy by design writ large across the culture of the organization. We think this will mean a rethink of how privacy awareness training initiatives are undertaken for 2018.
Rise of the program
We’ve said it before and we’ll say it again: once-a-year employee awareness training simply won’t cut it. Our own experiences with clients and years of adult learning research bear this out. Repetition is the mother of learning, meaning employees need consistent and repeated exposure to key topics to embed new information into their mental models. We may sound like a broken record, but we don’t really care. It’s just that important.
Fortunately, though, we think 2018 may be the year most organizations get it. For one, a 2017 survey of security awareness professionals by the SANS Institute found that 55% of respondents described their awareness efforts as including training reinforcement throughout the year. An encouraging sign to be sure.
We’ve also seen this in interactions with our clients, who often come to us with ideas about how to present the most pertinent security and privacy topics in varied ways throughout the year. Additionally, we’ve noted an uptick in other vendors in this space speaking directly about the importance of an awareness program over the last year. Many signs are pointing to awareness programs being the wave of the future, and we’re excited to be at the forefront.
Future phishing
A colleague of mine tells the story of a phishing email he got recently that proved surprisingly cunning.
The email offered help paying off student loans incurred while at college—his college!
He’s not a big social media user but he does list his alma mater on his LinkedIn profile and he was surprised at the time this scammer took to craft a personalized email. We joked that spear phishing is not just for “important” people any more.
Many experts predict this is just a taste of the tactics phishing scammers will use in the new year and for years to come. The only limits to cleverly crafted phishing attempts exist in the bad guys’ imaginations.
Though “phishing will get worse” may as well be a fact rather than a prediction, we couldn’t not include it in an employee awareness predictions article. Why? Here again we’d like to take a positive spin: scammers are being forced to up their game because users are getting better at recognizing phishing attempts. Those of us in the security awareness business should almost take this trend as a compliment since it means our efforts to educate employees are having an effect.
Toward the future
I have no illusions that many predictions articles, this one included, are little more than whistling in the wind. They can be good for starting meaningful conversation, for sure. But idle speculation released to the internet like a message in a bottle on the open ocean is just that: speculation.
Most organizations serious about planning for the InfoSec threats of next year don’t need such articles to tell them what to do. Plus, no one could have predicted the immensity of the Equifax data breach, or the fact that it took months for the company to reveal the details. Or the Uber data breach that company heads waited a year to reveal, after paying off the hackers that broke in.
The only thing that can be said with certainty is that events like these will continue to happen. The responsibility, then, is in the hands of organizations to make themselves as breach resilient as they can.
Employee awareness is not a panacea in this regard, but I don’t think it’s too much of a stretch to say that a greater focus on a risk-aware culture could have lessened the chances of the major breaches of 2017. What are you doing to instill such a culture?