People can be both the key to a successful cybersecurity strategy, and the weakest link in a cyber defense system. Organizations rely on their cybersecurity professionals – especially those such as SOC and IR teams – as the ‘defending heroes’ whose technical expertise and watchful eye keep their assets and operations safe. In reality though, all their efforts to procure, install, configure and operate the right technological solutions can be undone by an individual somewhere else in the organization who, for example, clicks on a link in an innocent-looking email, inadvertently giving a cybercriminal an access point to exploit. After all, firewalls can’t prevent an employee falling for a phishing email, and it is just this type of insidious attack – which a cybercriminal can cook up in minutes – that can cause the most damage.
34% of cyberattacks involve internal actors
The increase in remote working in response to the current pandemic inadvertently made employees the masters of their organizations’ cyber destiny, opening up a whole new playground of unsuspecting and unsecured devices for cybercriminals to enjoy. Without the guidance of an expert IT/ OT team, or the corporate resources invested in the most up-to-date technology at the office, employees fell victim to cyber threats that exploited vulnerable virtual private networks (VPNs), unpatched Windows-based systems, and a general lack of internet security at home.
The control systems behind critical infrastructure – from energy to finance, healthcare to transportation, communications to government – are popular targets for cyber activists and terrorists seeking to cause mayhem to advance their cause. Here, the stakes are infinitely higher, because when critical infrastructure fails, the effects can be devastating on a nationwide scale, in terms not only of the provision of utilities such as power, but of security, public health and safety.
56% of utilities surveyed reported at least one shutdown or operational data loss per year, due to cyberattack
As the energy sector, and in particular electric utilities providers, advances in its digital transformation – think smart grids and the digitalization of the power supply process – power generation and distribution become more connected, and increasingly vulnerable. This means that implementing a proven, effective cybersecurity model, with awareness training at its core, is even more important in this domain.
Cybersecurity really is an organization-wide issue. It takes more than a monthly circular reminding people not to click on ‘suspicious-looking links’ to raise true awareness of cyber risk. A culture of cyber security awareness needs to be cultivated across the whole organization, based on an understanding of the risks and potential outcomes of a cybersecurity attack. Cross-organizational cyber security training for employees – including senior management – may cover a range of topics, from the fundamentals of cyber awareness, to best practices for preventing or reducing breaches that target insiders, to practical, hands-on exercises based on real-life attack scenarios.
With the right awareness and ongoing training, every employee can serve as an extension to the professional cyber team which, given the current shortage of cybersecurity professionals in the market, makes good sense.
As with any new large-scale initiative, initially there may be some resistance to implementing cyber awareness training for employees. Transparency is key to securing buy-in. Begin by educating employees about the ramifications of them falling victim to a cyberattack, thereby exposing the organization to untold damage. Ensure training is tailored to your organization, and taught by trainers with specialized knowledge of how your organization works, the systems your employees use, and the threat landscape you face.
Reenforce what your employees learn by enabling them to put it into practice, test their growing awareness, and identify blind spots through hands-on simulations of real-life attacks. Once a training exercise is over, have a debriefing session in which employees can learn from their own mistakes, and from each other. Finally, acknowledge that mistakes can still happen and remove the associated shame. Put in place simple, streamlined incident reporting processes and make it clear that, if an innocent error does occur, covering it up only makes it worse. Rather, encourage people to come forward by reassuring them that there will be no negative consequences.
To find out how CyberGymIEC can support cyber security training for critical infrastructure employees, contact us.