Gauging the cybersecurity industry’s current situation, concerns and frustrations is never an easy feat, but cyber professionals should be polled at least annually to understand the consensus from those that live and breathe it every day.
Putting a finger on the pulse of certain cybersecurity issues which are top of mind for security professionals was my goal at the UK’s largest cybersecurity conference, Infosecurity Europe, in June 2024. At the event I was able to engage with many peers as well as ask questions and analyze their responses which unveiled some interesting insights.
A recurring theme that emerged from KnowBe4’s survey of over 200 security experts was a sense of frustration, especially with their advice being ignored. Over a quarter (29%) stated this happened at their workplace, while 12.5% claimed they were working in an inadequate security culture/environment.
This highlights the importance of fostering a robust security culture within organizations, where cybersecurity is viewed as a shared responsibility rather than the sole responsibility of the IT department.
Cyber Awareness Training Often Ineffective
Whilst these frustrations are entirely valid, it raises the question as to what factors contribute to the ineffectiveness of security awareness training, and why organizations continue to rely on them.
The answer often lies in organizations going through the motions of a tick-box compliance exercise to appease an auditor. Moreover, organizations must shift away from the antiquated once-a-year training model, where they inundate employees with an overwhelming amount of information over an hour or more (sometimes even resorting to bribing with coffee and doughnuts) in a bid to complete the training.
Instead, newer, more user-friendly approaches should be adopted. Finding a training style that resonates with users, incorporating elements of comedy or drama, and keeping sessions concise and impactful can make a significant difference. Furthermore, organizations can leverage short, timely interventions, such as nudges, which can prove to be incredibly powerful in promoting security awareness and fostering a culture of cybersecurity vigilance.
AI Usage in the Workplace
When asked about the use of AI within organizations, the results were mixed. While 41% of respondents reported having a responsible use policy for AI that employees have agreed to, a significant portion (30.5%) indicated that their organizations have no such policy in place or have no plans to introduce one.
As AI becomes increasingly integrated into business processes, it's crucial for organizations to establish clear guidelines and policies around its responsible use. This includes considering the ethical implications of AI, ensuring transparency and accountability, and mitigating potential biases or unintended consequences.
A significant number of respondents (26.5%) cited AI and deepfakes as the biggest perceived cybersecurity risk to their organizations. This concern is not unfounded, as we continue to witness a surge in AI-powered cyber-attacks and deepfake-related fraud.
The largest concern however was social engineering threats. AI and deepfakes are the latest tools in the arsenal of cybercriminals, primarily used in social engineering campaigns. While the technology itself is undeniably impressive, it's crucial to recognize that the real threat lies in how these tools are wielded to manipulate and deceive unsuspecting individuals.
As such, our primary focus should be on addressing the social engineering aspect of these attacks, rather than becoming distracted by the novelty of the technology itself.
Risky Employee Behavior Prevalent
The survey also shed light on the prevalence of risky behaviors among employees, with many admitting to using entertainment or streaming services (33%), sharing personal information (14%), and using unauthorized removable media like USB sticks (7.5%) at work.
These actions can inadvertently expose organisations to cyber threats, underlining the critical role of effective security awareness training. However, 8.5% of respondents cited ineffective security awareness training as a major frustration, suggesting that current training programs may not be hitting the mark.
Organizations must reassess their approach to cybersecurity education, ensuring that training is engaging, relevant, and tailored to the specific needs and roles of employees.
It's tempting to believe that advancements in technology will provide a silver bullet solution to our cybersecurity woes, but the reality is far more complex. While technology undoubtedly has a vital role to play in bolstering our defenses, it's not a panacea.
It's imperative that we invest in helping individuals make better risk decisions, providing them with the knowledge and tools they need to identify and avoid potential threats. Simultaneously, we must strive to create an environment where making the right choices is the path of least resistance.
Building a Strong Security Culture is Vital
To navigate this complex landscape, organizations must prioritize the development of a strong security culture, where cybersecurity is embedded into the fabric of the organization, and everyone plays a role in maintaining a secure environment. This involves empowering security professionals, providing effective training, and fostering open communication and collaboration across all levels of the organization.
Ultimately, the path to effective cybersecurity lies in striking a balance between human-centric approaches and technological innovation. By nurturing a culture of cybersecurity awareness, empowering security professionals and embracing new technologies responsibly, organizations can build resilience against the ever-changing threat landscape and safeguard their assets, reputation, and stakeholders in the digital age.