Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Lise Lapointe
Lise Lapointe
Connect Directly
E-Mail vvv

The Changing Face of Cybersecurity Awareness

In the two decades since cybersecurity awareness programs emerged, they've been transformed from a good idea to a business imperative.

Many people think cybercriminals hide in dim basements, masked by hoods, and hack big companies for fame and recognition. However, over the years, cybercrime has become a very profitable — and big — business.

In 2021, my company, Terranova Security, celebrates its 20th anniversary of working with organizations to help change behavior and reduce human risk by combining education and technology.

Related Content:

Can Organizations Secure Remote Workers for the Long Haul?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

If there's one thing I've learned in the last two decades, it's that cybercriminals are treating cybersecurity as a business. Therefore, organizations need to treat cybersecurity awareness as a fundamental business imperative, and training needs to be as dynamic as the threat landscape it combats.

A thoughtful, regularly revisited cybersecurity awareness program sets organizations, security leaders — and most importantly, their people — up for cyber success.

In this article, I will reflect on the genesis of the cybersecurity awareness space, analyze how the threat landscape has changed over time, and share some predictions on what's next for the cybersecurity awareness landscape.

Cybersecurity Awareness? What's That?
By 2001, I had been working in technology for quite some time, and I asked my contacts in the technology space what they were missing. Some told me they had a lot of technology training but no security awareness solution for users. So, I decided to develop training to fill this gap.

In 2002, the biggest cyber threat the market faced was computer viruses in the form of worms — standalone malware programs that replicate to spread to other computers. The main objective of cybersecurity awareness 20 years ago was to introduce users to these threats. We developed a one-hour course module explaining email viruses and how to avoid engaging with chain letters and scams.

In these formative years, early adopters in the banking and insurance space recognized the need for training. However, cybersecurity awareness as a service did not really take off until 2015, when Gartner released its first Magic Quadrant for cybersecurity awareness. Until then, organizations looked primarily at technology and processes to quell cyber threats, not at the human element of cybersecurity.

The Evolving Cyber Threat Landscape
Between 2005 and 2011, the number of people using the Internet soared. As more services came online, more opportunities for cyberattacks sprung up. With the advent of phishing, our big priorities for awareness shifted and grew. At the time, we were teaching people how to safely use the Internet, bank and shop online, and use social networks, as well as ways to recognize the telltale signs of phishing websites.

Fast-forward to the present day; things are different. Phishing is a full-fledged (and highly profitable) business run by professionals. We're now training organizations and their employees, subcontractors, suppliers, and educational institutions on how to recognize the eight threats of phishing, understand their consequences, and learn best practices. We also train users about other cybersecurity methods such as password protection, using secure Wi-Fi, privacy, and more.

Our clients have seen great success through changing behavior. Yet, those without dynamic cybersecurity awareness programs are still engaging with nefarious content online. Our annual Gone Phishing Tournament — conducted in conjunction with Microsoft over 11 days in October during Cybersecurity Awareness Month — showed that 26% of North American employees would fall victim to a phishing email if they were to receive one, and 68% of them would provide a hacker their credentials.

A Look Ahead
What will cybersecurity and cybersecurity awareness look like in the years ahead? I predict that the threat actors and their methods will change, and cybersecurity awareness will become a core business pillar for all organizations. Some still may not understand the true threats they face; some may think they're too small to be hit, while others may view cybersecurity as an IT or security problem, not an organizational issue that affects everyone.

I predict that organizations will continue to invest in technology to help prevent cyberattacks, and they will also see value in providing better, more consistent training. Security leaders will recognize that an annual course or an informational packet provided to a new employee during onboarding simply isn't enough. Organizations will recognize the importance of training the right people at the right time on the right cybersecurity topics using the right methods.

While cybersecurity is a growing threat for organizations around the globe, it has a familiar solution: human knowledge. By making cybersecurity awareness a business imperative, dedicating budget to it, and creating dynamic "cyber heroes," organizations can thrive in today's online world and be prepared for whatever the shifting cyber landscape brings next.

Recognized as an innovative entrepreneur, a visionary, and a leader, Lise has dedicated the last two decades to cybersecurity and has been in technology for over 30 years. In 2001, she launched Terranova Security, one of the first companies in the world to focus on ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file