Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Lise Lapointe
Lise Lapointe
Connect Directly
E-Mail vvv

The Changing Face of Cybersecurity Awareness

In the two decades since cybersecurity awareness programs emerged, they've been transformed from a good idea to a business imperative.

Many people think cybercriminals hide in dim basements, masked by hoods, and hack big companies for fame and recognition. However, over the years, cybercrime has become a very profitable — and big — business.

In 2021, my company, Terranova Security, celebrates its 20th anniversary of working with organizations to help change behavior and reduce human risk by combining education and technology.

Related Content:

Can Organizations Secure Remote Workers for the Long Haul?

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 10 Security Awareness Training Mistakes to Avoid

If there's one thing I've learned in the last two decades, it's that cybercriminals are treating cybersecurity as a business. Therefore, organizations need to treat cybersecurity awareness as a fundamental business imperative, and training needs to be as dynamic as the threat landscape it combats.

A thoughtful, regularly revisited cybersecurity awareness program sets organizations, security leaders — and most importantly, their people — up for cyber success.

In this article, I will reflect on the genesis of the cybersecurity awareness space, analyze how the threat landscape has changed over time, and share some predictions on what's next for the cybersecurity awareness landscape.

Cybersecurity Awareness? What's That?
By 2001, I had been working in technology for quite some time, and I asked my contacts in the technology space what they were missing. Some told me they had a lot of technology training but no security awareness solution for users. So, I decided to develop training to fill this gap.

In 2002, the biggest cyber threat the market faced was computer viruses in the form of worms — standalone malware programs that replicate to spread to other computers. The main objective of cybersecurity awareness 20 years ago was to introduce users to these threats. We developed a one-hour course module explaining email viruses and how to avoid engaging with chain letters and scams.

In these formative years, early adopters in the banking and insurance space recognized the need for training. However, cybersecurity awareness as a service did not really take off until 2015, when Gartner released its first Magic Quadrant for cybersecurity awareness. Until then, organizations looked primarily at technology and processes to quell cyber threats, not at the human element of cybersecurity.

The Evolving Cyber Threat Landscape
Between 2005 and 2011, the number of people using the Internet soared. As more services came online, more opportunities for cyberattacks sprung up. With the advent of phishing, our big priorities for awareness shifted and grew. At the time, we were teaching people how to safely use the Internet, bank and shop online, and use social networks, as well as ways to recognize the telltale signs of phishing websites.

Fast-forward to the present day; things are different. Phishing is a full-fledged (and highly profitable) business run by professionals. We're now training organizations and their employees, subcontractors, suppliers, and educational institutions on how to recognize the eight threats of phishing, understand their consequences, and learn best practices. We also train users about other cybersecurity methods such as password protection, using secure Wi-Fi, privacy, and more.

Our clients have seen great success through changing behavior. Yet, those without dynamic cybersecurity awareness programs are still engaging with nefarious content online. Our annual Gone Phishing Tournament — conducted in conjunction with Microsoft over 11 days in October during Cybersecurity Awareness Month — showed that 26% of North American employees would fall victim to a phishing email if they were to receive one, and 68% of them would provide a hacker their credentials.

A Look Ahead
What will cybersecurity and cybersecurity awareness look like in the years ahead? I predict that the threat actors and their methods will change, and cybersecurity awareness will become a core business pillar for all organizations. Some still may not understand the true threats they face; some may think they're too small to be hit, while others may view cybersecurity as an IT or security problem, not an organizational issue that affects everyone.

I predict that organizations will continue to invest in technology to help prevent cyberattacks, and they will also see value in providing better, more consistent training. Security leaders will recognize that an annual course or an informational packet provided to a new employee during onboarding simply isn't enough. Organizations will recognize the importance of training the right people at the right time on the right cybersecurity topics using the right methods.

While cybersecurity is a growing threat for organizations around the globe, it has a familiar solution: human knowledge. By making cybersecurity awareness a business imperative, dedicating budget to it, and creating dynamic "cyber heroes," organizations can thrive in today's online world and be prepared for whatever the shifting cyber landscape brings next.

Recognized as an innovative entrepreneur, a visionary, and a leader, Lise has dedicated the last two decades to cybersecurity and has been in technology for over 30 years. In 2001, she launched Terranova Security, one of the first companies in the world to focus on ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.