Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/21/2021
10:00 AM
Lise Lapointe
Lise Lapointe
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Changing Face of Cybersecurity Awareness

In the two decades since cybersecurity awareness programs emerged, they've been transformed from a good idea to a business imperative.

Many people think cybercriminals hide in dim basements, masked by hoods, and hack big companies for fame and recognition. However, over the years, cybercrime has become a very profitable — and big — business.

In 2021, my company, Terranova Security, celebrates its 20th anniversary of working with organizations to help change behavior and reduce human risk by combining education and technology.

Related Content:

Can Organizations Secure Remote Workers for the Long Haul?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

If there's one thing I've learned in the last two decades, it's that cybercriminals are treating cybersecurity as a business. Therefore, organizations need to treat cybersecurity awareness as a fundamental business imperative, and training needs to be as dynamic as the threat landscape it combats.

A thoughtful, regularly revisited cybersecurity awareness program sets organizations, security leaders — and most importantly, their people — up for cyber success.

In this article, I will reflect on the genesis of the cybersecurity awareness space, analyze how the threat landscape has changed over time, and share some predictions on what's next for the cybersecurity awareness landscape.

Cybersecurity Awareness? What's That?
By 2001, I had been working in technology for quite some time, and I asked my contacts in the technology space what they were missing. Some told me they had a lot of technology training but no security awareness solution for users. So, I decided to develop training to fill this gap.

In 2002, the biggest cyber threat the market faced was computer viruses in the form of worms — standalone malware programs that replicate to spread to other computers. The main objective of cybersecurity awareness 20 years ago was to introduce users to these threats. We developed a one-hour course module explaining email viruses and how to avoid engaging with chain letters and scams.

In these formative years, early adopters in the banking and insurance space recognized the need for training. However, cybersecurity awareness as a service did not really take off until 2015, when Gartner released its first Magic Quadrant for cybersecurity awareness. Until then, organizations looked primarily at technology and processes to quell cyber threats, not at the human element of cybersecurity.

The Evolving Cyber Threat Landscape
Between 2005 and 2011, the number of people using the Internet soared. As more services came online, more opportunities for cyberattacks sprung up. With the advent of phishing, our big priorities for awareness shifted and grew. At the time, we were teaching people how to safely use the Internet, bank and shop online, and use social networks, as well as ways to recognize the telltale signs of phishing websites.

Fast-forward to the present day; things are different. Phishing is a full-fledged (and highly profitable) business run by professionals. We're now training organizations and their employees, subcontractors, suppliers, and educational institutions on how to recognize the eight threats of phishing, understand their consequences, and learn best practices. We also train users about other cybersecurity methods such as password protection, using secure Wi-Fi, privacy, and more.

Our clients have seen great success through changing behavior. Yet, those without dynamic cybersecurity awareness programs are still engaging with nefarious content online. Our annual Gone Phishing Tournament — conducted in conjunction with Microsoft over 11 days in October during Cybersecurity Awareness Month — showed that 26% of North American employees would fall victim to a phishing email if they were to receive one, and 68% of them would provide a hacker their credentials.

A Look Ahead
What will cybersecurity and cybersecurity awareness look like in the years ahead? I predict that the threat actors and their methods will change, and cybersecurity awareness will become a core business pillar for all organizations. Some still may not understand the true threats they face; some may think they're too small to be hit, while others may view cybersecurity as an IT or security problem, not an organizational issue that affects everyone.

I predict that organizations will continue to invest in technology to help prevent cyberattacks, and they will also see value in providing better, more consistent training. Security leaders will recognize that an annual course or an informational packet provided to a new employee during onboarding simply isn't enough. Organizations will recognize the importance of training the right people at the right time on the right cybersecurity topics using the right methods.

While cybersecurity is a growing threat for organizations around the globe, it has a familiar solution: human knowledge. By making cybersecurity awareness a business imperative, dedicating budget to it, and creating dynamic "cyber heroes," organizations can thrive in today's online world and be prepared for whatever the shifting cyber landscape brings next.

Recognized as an innovative entrepreneur, a visionary, and a leader, Lise has dedicated the last two decades to cybersecurity and has been in technology for over 30 years. In 2001, she launched Terranova Security, one of the first companies in the world to focus on ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-38258
PUBLISHED: 2021-10-25
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostProcessCallback().
CVE-2021-38260
PUBLISHED: 2021-10-25
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostParseDeviceConfigurationDescriptor().
CVE-2021-39223
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.t...
CVE-2021-39224
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud OfficeOnline application prior to version 1.1.1 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is locat...
CVE-2021-39225
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. Ther...