28 Oct CISO Report: Dr Jay On Cyber Defense
Mastercard’s SVP & Deputy CSO says stop, drop, and roll
– Melbourne, Australia – Oct. 28, 2022
The CISO Report is sponsored by KnowBe4.
For years, many companies used to treat cybersecurity training like fire safety or CPR training: a once-a-year exercise, in which employees are dragged through a set curriculum and left to their own devices for the rest of the year.
With cybersecurity attacks escalating and new types of compromise appearing daily, however, once-a-year training long ago stopped being enough.
One study, by USENIX, found that employees lose their ability to discern phishing emails from legitimate emails around six months after training has been delivered. Another, by WR Hambrecht + Co, concluded that as little as half an hour after training finishes, employees only remember 58 percent of what they were just taught; a week later, this percentage has dropped to just 35 percent.
Despite the risk that employees will rapidly forget their training, only 23 percent of companies provide cyber awareness training to their employees on a regular basis, according to a recent study that also found most companies have increased the frequency of training to at least once a quarter.
Yet frequency of training is only one of several factors CISOs need to consider when planning cyber awareness strategies, Alissa ‘Dr Jay’ Abdullah, deputy CISO and senior vice president of emerging corporate security solutions with Mastercard, told Cybercrime Magazine.
“At one point in time, we thought the normal annual training was going to be enough,” she explained, “but now the way people consume data and consume information has changed.”
“We’re in a Tik Tok era, and everybody wants everything to be short and quick — so we have to move with that evolution.”
Yet the kids making videos on Tik Tok don’t just stand up and go for it: they practice a little bit at a time, she said, and “we have to think of cybersecurity and our training in the same way: think about it, talk about it, little hints, little tricks, little games.”
“Repetitiveness is the glue that’s going to make it stick, rather than sitting down, doing an hour’s worth of training, and saying ‘see you next year.’”
That shift towards smaller, consumable training — even to the point where email filtering systems deliver a small bite of training content immediately after a user clicks on a dangerous link or attachment — has driven new approaches from companies like NINJIO and Mimecast-owned Ataata, which have taken awareness training to a new level as they pursue a share of a market that is expected to be worth $10 billion annually by 2027.
Reading, ‘riting, ‘rithmetic, and remediation
Even as companies try to figure out the best way to train and retrain employees in cybersecurity awareness, Dr Jay said it is important that workers are also taught the basics of cybersecurity early on — and that it becomes part of the corporate culture, not just something the IT security team is trying to impose on everybody.
“It’s not something that’s just the responsibility of the cybersecurity organization,” she explained.
“Regardless of whether you’re working or not, you have to know a little bit about cybersecurity in order to protect your own data. And you have to think about your own culture, and what they’re able to consume, and the amount of risk that you’re taking.”
Managing that risk also relies on regular phishing tests of employees, who are sent defanged phishing mails to see whether they can spot them or not.
Within Abdullah’s own purview at Mastercard, she said, the security team analyzes “the exact messages that come through as the adversary is probing us — and we replicate those messages, and do spearphishing campaigns within our employee base.”
Even this is a process, she said, and realism is crucial — as is the need to be unapologetically tough on employees by giving them phishing tests that are hard to pass.
“You want to take your employees through a journey,” she explained, “by starting easy and getting harder and harder and harder.”
“You can’t stay at easy because the adversary is now being more sophisticated – so your spearphishing campaigns with your employees have to be more sophisticated.”
“They have to show exactly what the adversary is going to give you – and I’ll tell you this: the adversary is going to give it to you whether you’re in your business environment, or in your home environment.”
Indeed, attackers are increasingly trying to wear down their targets by sending repeated prompts until their victims relent and play along.
It’s a tactic that is, Abdullah said, being seen in “MFA fatigue” — in which attackers send one prompt after another, pushing recipients to approve a request for multifactor authentication based remote access.
Vigilant users will likely deny the request, but repeated requests often wear them down just so the prompts go away — and that, Dr Jay said, can be the difference between being compromised and not.
“It’s like a fire drill,” she said. “Stop, drop, and roll. Pause for a second and ask yourself: did I even try to log in somewhere that uses MFA? Did I engage with anything that required this type of request?”
“Pause for a second before you engage.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.
Sponsored by KnowBe4
KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.
