Does cybersecurity utopia really exist?

By George Ralph, RFA – Imagine you’re the CTO of a successful hedge fund. You’re not big enough to have a dedicated CISO but you think you’re doing a pretty good job of securing your network. Your applications and databases are secure, you’ve just invested in a network intrusion detection system and some next generation firewalls.
Next, you move on to your internet traffic and cloud services. You make sure your firm’s SSL certificates are up to date, and you use HTTPS and OAuth2.0. Then you insist all remote users access the network via secure VPN, that files are encrypted and that you have a comprehensive mobile security strategy in place. You have invested significant time and money into this multi-layered security portfolio because you know the value of your data, your firm can’t afford any disruption to trading or service, and you know you could face a hefty fine if the regulators find out about a cybersecurity breach. 

All that effort, all that budget, can be rendered entirely useless if your employees are not trained to spot and avoid cyberattacks.

2017’s “The Global State of Information Security Survey” reported that 38 per cent of respondents had experienced phishing scams, making it the top cybersecurity threat. In addition, 28 per cent of respondents reported security compromises of mobile devices.

Even more worrying, Wombat Security Technologies recently published the results of an international cybersecurity awareness survey in their 2017 User Risk Report. When questioned, only 40 per cent of respondents knew what ransomware was. 58 per cent of respondents in the UK gave the wrong answer or could not even hazard a guess at what ransomware was. When asked if they had ever fallen for a phishing attack, over 30 per cent said yes, and 15 per cent didn’t know. 

What if there was a unique cyber awareness training programme, which used mock attacks and simulated email, voice and SMS phishing attacks in order to highlight risks and employee weaknesses.

What if there was a simulated phishing platform, which used personalised landing pages, attachments and spoof domains in sophisticated trial attacks, both pre and post training for benchmarking and to indicate progress? A way of firms being able to identify potential users who may be more susceptible to attack than others. A way of giving immediate feedback to users who do click on a link or open an attachment, with a copy of the email, highlighting all the red flags to reinforce the training they have had. 

The training programme that employees get could be engaging enough to be effective, making sure that users are aware of the mechanisms of spam, spear phishing, malware and social engineering. It could cover PCI compliance, the basics of credit card security, how to handle sensitive information and how to secure non-public personal information. It could include lessons on how to create strong passwords, tips on safe web browsing, best practice for social media use and the dangers of unidentified USB devices. It could be so good, so interesting, that employees actually told their friends and family what they had learnt.

Wouldn’t be great? RFA offers comprehensive cybersecurity training and a simulation platform which allows organisations to test employees knowledge in a realistic way, giving feedback and pointers along the way.

Author Profile