Many people think cybercriminals hide in dim basements, masked by hoods, and hack big companies for fame and recognition. However, over the years, cybercrime has become a very profitable — and big — business.
In 2021, my company, Terranova Security, celebrates its 20th anniversary of working with organizations to help change behavior and reduce human risk by combining education and technology.
If there's one thing I've learned in the last two decades, it's that cybercriminals are treating cybersecurity as a business. Therefore, organizations need to treat cybersecurity awareness as a fundamental business imperative, and training needs to be as dynamic as the threat landscape it combats.
A thoughtful, regularly revisited cybersecurity awareness program sets organizations, security leaders — and most importantly, their people — up for cyber success.
In this article, I will reflect on the genesis of the cybersecurity awareness space, analyze how the threat landscape has changed over time, and share some predictions on what's next for the cybersecurity awareness landscape.
Cybersecurity Awareness? What's That?
By 2001, I had been working in technology for quite some time, and I asked my contacts in the technology space what they were missing. Some told me they had a lot of technology training but no security awareness solution for users. So, I decided to develop training to fill this gap.
In 2002, the biggest cyber threat the market faced was computer viruses in the form of worms — standalone malware programs that replicate to spread to other computers. The main objective of cybersecurity awareness 20 years ago was to introduce users to these threats. We developed a one-hour course module explaining email viruses and how to avoid engaging with chain letters and scams.
In these formative years, early adopters in the banking and insurance space recognized the need for training. However, cybersecurity awareness as a service did not really take off until 2015, when Gartner released its first Magic Quadrant for cybersecurity awareness. Until then, organizations looked primarily at technology and processes to quell cyber threats, not at the human element of cybersecurity.
The Evolving Cyber Threat Landscape
Between 2005 and 2011, the number of people using the Internet soared. As more services came online, more opportunities for cyberattacks sprung up. With the advent of phishing, our big priorities for awareness shifted and grew. At the time, we were teaching people how to safely use the Internet, bank and shop online, and use social networks, as well as ways to recognize the telltale signs of phishing websites.
Fast-forward to the present day; things are different. Phishing is a full-fledged (and highly profitable) business run by professionals. We're now training organizations and their employees, subcontractors, suppliers, and educational institutions on how to recognize the eight threats of phishing, understand their consequences, and learn best practices. We also train users about other cybersecurity methods such as password protection, using secure Wi-Fi, privacy, and more.
Our clients have seen great success through changing behavior. Yet, those without dynamic cybersecurity awareness programs are still engaging with nefarious content online. Our annual Gone Phishing Tournament — conducted in conjunction with Microsoft over 11 days in October during Cybersecurity Awareness Month — showed that 26% of North American employees would fall victim to a phishing email if they were to receive one, and 68% of them would provide a hacker their credentials.
A Look Ahead
What will cybersecurity and cybersecurity awareness look like in the years ahead? I predict that the threat actors and their methods will change, and cybersecurity awareness will become a core business pillar for all organizations. Some still may not understand the true threats they face; some may think they're too small to be hit, while others may view cybersecurity as an IT or security problem, not an organizational issue that affects everyone.
I predict that organizations will continue to invest in technology to help prevent cyberattacks, and they will also see value in providing better, more consistent training. Security leaders will recognize that an annual course or an informational packet provided to a new employee during onboarding simply isn't enough. Organizations will recognize the importance of training the right people at the right time on the right cybersecurity topics using the right methods.
While cybersecurity is a growing threat for organizations around the globe, it has a familiar solution: human knowledge. By making cybersecurity awareness a business imperative, dedicating budget to it, and creating dynamic "cyber heroes," organizations can thrive in today's online world and be prepared for whatever the shifting cyber landscape brings next.