Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Lise Lapointe
Lise Lapointe
Connect Directly
E-Mail vvv

The Changing Face of Cybersecurity Awareness

In the two decades since cybersecurity awareness programs emerged, they've been transformed from a good idea to a business imperative.

Many people think cybercriminals hide in dim basements, masked by hoods, and hack big companies for fame and recognition. However, over the years, cybercrime has become a very profitable — and big — business.

In 2021, my company, Terranova Security, celebrates its 20th anniversary of working with organizations to help change behavior and reduce human risk by combining education and technology.

Related Content:

Can Organizations Secure Remote Workers for the Long Haul?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

If there's one thing I've learned in the last two decades, it's that cybercriminals are treating cybersecurity as a business. Therefore, organizations need to treat cybersecurity awareness as a fundamental business imperative, and training needs to be as dynamic as the threat landscape it combats.

A thoughtful, regularly revisited cybersecurity awareness program sets organizations, security leaders — and most importantly, their people — up for cyber success.

In this article, I will reflect on the genesis of the cybersecurity awareness space, analyze how the threat landscape has changed over time, and share some predictions on what's next for the cybersecurity awareness landscape.

Cybersecurity Awareness? What's That?
By 2001, I had been working in technology for quite some time, and I asked my contacts in the technology space what they were missing. Some told me they had a lot of technology training but no security awareness solution for users. So, I decided to develop training to fill this gap.

In 2002, the biggest cyber threat the market faced was computer viruses in the form of worms — standalone malware programs that replicate to spread to other computers. The main objective of cybersecurity awareness 20 years ago was to introduce users to these threats. We developed a one-hour course module explaining email viruses and how to avoid engaging with chain letters and scams.

In these formative years, early adopters in the banking and insurance space recognized the need for training. However, cybersecurity awareness as a service did not really take off until 2015, when Gartner released its first Magic Quadrant for cybersecurity awareness. Until then, organizations looked primarily at technology and processes to quell cyber threats, not at the human element of cybersecurity.

The Evolving Cyber Threat Landscape
Between 2005 and 2011, the number of people using the Internet soared. As more services came online, more opportunities for cyberattacks sprung up. With the advent of phishing, our big priorities for awareness shifted and grew. At the time, we were teaching people how to safely use the Internet, bank and shop online, and use social networks, as well as ways to recognize the telltale signs of phishing websites.

Fast-forward to the present day; things are different. Phishing is a full-fledged (and highly profitable) business run by professionals. We're now training organizations and their employees, subcontractors, suppliers, and educational institutions on how to recognize the eight threats of phishing, understand their consequences, and learn best practices. We also train users about other cybersecurity methods such as password protection, using secure Wi-Fi, privacy, and more.

Our clients have seen great success through changing behavior. Yet, those without dynamic cybersecurity awareness programs are still engaging with nefarious content online. Our annual Gone Phishing Tournament — conducted in conjunction with Microsoft over 11 days in October during Cybersecurity Awareness Month — showed that 26% of North American employees would fall victim to a phishing email if they were to receive one, and 68% of them would provide a hacker their credentials.

A Look Ahead
What will cybersecurity and cybersecurity awareness look like in the years ahead? I predict that the threat actors and their methods will change, and cybersecurity awareness will become a core business pillar for all organizations. Some still may not understand the true threats they face; some may think they're too small to be hit, while others may view cybersecurity as an IT or security problem, not an organizational issue that affects everyone.

I predict that organizations will continue to invest in technology to help prevent cyberattacks, and they will also see value in providing better, more consistent training. Security leaders will recognize that an annual course or an informational packet provided to a new employee during onboarding simply isn't enough. Organizations will recognize the importance of training the right people at the right time on the right cybersecurity topics using the right methods.

While cybersecurity is a growing threat for organizations around the globe, it has a familiar solution: human knowledge. By making cybersecurity awareness a business imperative, dedicating budget to it, and creating dynamic "cyber heroes," organizations can thrive in today's online world and be prepared for whatever the shifting cyber landscape brings next.

Recognized as an innovative entrepreneur, a visionary, and a leader, Lise has dedicated the last two decades to cybersecurity and has been in technology for over 30 years. In 2001, she launched Terranova Security, one of the first companies in the world to focus on ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...