Cybersecurity training – raising awareness of business threats

Cybersecurity training must be more than a one-off event to give firms a fighting chance of defending against business threats.
12 April 2023

Sharpen your cybersecurity training game with regular practice. Image credit: Shutterstock Generate.

Getting your Trinity Audio player ready...

Cybersecurity training may be a useful pair of keywords, but the phrase is problematic if readers are left with the impression that one-off exercises will be sufficient to build long-lasting defences against ransomware, phishing attempts, and other common cyber attacks. In reality, companies are likely to be better served by pursuing continuous learning approaches. Studies by cybersecurity providers such as Hornetsecurity show that security awareness services are more effective in protecting employees against cyber threats.

Well-timed awareness-raising exercises – including testing staff responses to simulated phishing emails, and highlighting other popular attack vectors – can outperform conventional cybersecurity training. Knowledge can soon fade after a one-off session. But regular training events presented at teachable moments – for example, at the end of the day when employees may feel tired and could be more susceptible to social engineering – can cement learning and demonstrate the tactics that bad actors use to breach company defences.

It’s also useful for IT teams and other technical staff to set aside time to conduct their own cybersecurity training research, which can include reviewing adversary playbooks. Benefits here include the opportunity to brush up on the tell-tale signs that something could be amiss on company networks.

Threat actor playbook research

Sygnia, which provides incident response support for organizations worldwide, including Fortune 100 companies, is one of a number of cybersecurity firms that provide regular spotlights on threat actor behaviour. Its most recent security bulletin focuses on Ragnar Locker, which refers to both a strain of ransomware and the criminal group that operates the rogue software.

Sygnia points out that just because Ragnar Locker hasn’t made it into the list of top 10 ransomware strains, doesn’t mean that the attack can’t prove dangerous for organizations. Backing up this warning, is the fact that the FBI has issued two flash notifications to provide IT teams with a heads-up on the tactics, techniques, and procedures that accompany a Ragnar Locker ransomware attack. And the bulletins serve as valuable cybersecurity training resources.

In 2020, the FBI warned that Ragnar Locker ransomware was being targeted at cloud service providers, communication, construction, travel, and enterprise software companies. And by 2022, the US law enforcement agency had identified at least 52 entities – spanning 10 critical infrastructure sectors, including energy, manufacturing, and government organizations – that it believed had been affected by the malware.

As well as listing potential signs dubbed indicators of compromise, or IOCs, that a system may have been infiltrated, the FBI flash warnings remind organizations of recommended mitigations to ransomware threats. Security measures include backing up critical data offline and keeping devices and software patched and up to date.

Cybersecurity actions

One of the most common remediation steps on the Known Exploited Vulnerabilities Catalogue published by CISA, America’s cyber defense agency, is the action to apply updates per vendor instructions. And the number of times that this phrase appears on the 914 entry list highlights just how important it is to make sure that machines are running the latest version of their operating systems and other related programs.

Adversaries will waste no time in pouncing on company IT assets that they have identified as running out-of-date software, as all attackers then have to do is find a known vulnerability and they are in. Having a second (or third) copy of critical business information and methodically patching devices will frustrate attempts by bad actors to hold companies to ransom by carrying out malicious data encryption. And CISA provides a cybersecurity evaluation tool (CSET) at no cost to organizations, which allows users to conduct a ransomware readiness assessment.

Technical solutions make a valuable contribution to a firm’s security posture. But the ability of a company to predict, prevent and respond to cyber threats, which will evolve over time, means paying attention to the human element too in cybersecurity training.

A data breach investigation report conducted by Verizon’s business division found that 82% of breaches examined in the 2022 study exploited what can be classed as human behavior, rather than machine or software vulnerabilities. “Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” write the Verizon report’s authors.

Digital self-defense

And Niklas Hellemann – CEO at SoSafe, a cybersecurity awareness provider with offices in Germany, France, and the UK – emphasizes that organizations must empower their teams in digital self-defense. All employees can play a role in keeping cyber defenses high and should be on the lookout for signs of emotional manipulation – a popular weapon of choice for cybercriminals, note SoSafe’s security analysts.

Data gathered by SoSafe point to patterns of behaviour such as bad actors taking advantage of an employee’s willingness to help, and the use of praise and flattery to engineer attacks. At the same time, Deepfake technology is making it easier for fraudsters to impersonate senior management over the phone – particularly if voice samples can be grabbed from publicly accessible presentations and other audio and video content. And these software advances are being misused by adversaries to mount increasingly realistic social engineering attacks. Advice to staff includes taking steps to verify information before actioning anything.

Keeping abreast of cybersecurity threats on a regular basis is essential, and firms should consider their cybersecurity training programs as ongoing efforts rather than activities to be performed once and celebrated with a certificate.