There is a well-known saying that many attribute to Mark Twain: "Everybody talks about the weather, but nobody does anything about it." You could substitute "cybersecurity" for "the weather" and it would be even more true in the early twenty-first century.
In this article, I will briefly summarize a Gartner Report from 2020, recently updated ("The urgency to treat security as a business decision") and some observations in a 2021 eBook by cyber risk management firm BitSight ("Ransomware: The rapidly evolving trend"). (These are not paid placements by either organization and there is no direct link available to either publication.) There is a role in dealing with cybersecurity for L&D and instructional designers based on these two documents.
The Gartner Report: Treat security as a business decision
This report is mainly intended for CIOs, but it claims three specific challenges regarding cybersecurity, each of which is or could be related to learning and development objectives (quoting from the report):
- Cybersecurity spending growth is slowing through 2023, while boards are starting to push back and ask what they have achieved after years of heavy cybersecurity spend.
- Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions.
- Many current approaches to improve cybersecurity are falling short of providing appropriate and defensible levels of protection.
Each of these involves a gap of the kind that can be addressed at least in part by L&D if boards and senior executives decide to make them the basis of strategic business objectives. The report offers good analysis and research, and sound suggestions for actions, along with some sad lessons learned from the experience of organizations to date. The bottom line seems to be summed up with this finding: "Everyone is seeking a simple answer where one does not exist."
Ransomware: The rapidly evolving trend
While ransomware is a subset of cybersecurity concerns, it is a large and growing one. BitSight's eBook quotes data collected by the University of Cambridge showing that ransomware cyber insurance grew from 13% of claims from 2014 to 2019 to 54% in 2020. The book also cites examples demonstrating that extortion attempts have changed from single extortion (seeking money from a single organization) to triple extortion (seeking money from a chain of victims, including individual victims). BitSight characterizes the business model of the gangs that engage in this behavior as "Ransomware-as-a-Service".
There are best practices for dealing with cybercriminals, mainly by reducing the likelihood of being a victim through "a relentless focus on core security hygiene." That means team members who effectively perform security controls and practices every day.
What can we do to prevent or deal with a breach?
The BitSight eBook does cite solutions that they offer, but they also make it clear that there is a reason the number of organizations that provide effective means of reducing risk are few and far between. Using BitSight's numbers, it becomes obvious that it does not take much of an improvement in security hygiene benchmarks (however you measure them) to greatly reduce the likelihood of being victimized by ransomware.
In preparing this article, I spoke to three individuals who are expert at handling questions in this area. The interviews were long and the replies were detailed, so in this article I am only going to summarize the key contributions from each of the experts, saving the rest for future articles.
- Whose fault is it if there is a breach?
- Fundamentals: Guidelines, education, and rules for dealing with a breach; data loss prevention; social engineering.
- What if an organization needs help in dealing with a breach?
Jerry Ray COO of enterprise data security solution vendor, SecureAge
Whose fault is it if there is a breach? Is it the employee? Is it IT? Is it L&D? Jerry's answer surprised me, and he acknowledged that this is a really tricky area because he feels that no one has all the answers, including security experts and IT staff. As he put it, "Everyone gets a mulligan." But there is a way to reduce the risk that applies an effective security hygiene measure and responds to the third bullet above from the Gartner Report.
He said, "That leaves it up to the tools; the software; the applications that are coming from security vendors. That extends the mulligan to the user: situational awareness is a function of environment, a function of exposure, a function of the individual. I can never account for all of that. And I can never say someone is lacking common sense when the situation they experience is uncommon.
"It is simply not their fault. And if somebody gets a very wonky-looking spam email with FedEx spelt incorrectly, bad logos, bad iconography, and they still click on that attachment, it's still not their fault. And I can't stress that enough. The complexity of the systems and IoT being in the mix, and everything affecting everything else means none of us can account for the entire permutations of all the hardware, software, and connection protocols that are behind what you and I are doing right now.
"So really the last bastion of security are the tools coming from security experts who develop them, those who create our operating systems and should build security into those inherently, those who are building the applications and should put security forefront as they map out what they want to build and deliver, not as an after-the-fact add-on. These are a lot of 'shoulds' that I'm saying, and 'shoulds' are kind of nothing we can rely on. And ultimately we want to rely on ourselves, but I just have to throw my hands up. I cannot stop or thwart a motivated hacker from getting into my system, from getting anything they want. What I can do though is make sure that what they take is meaningless to them, because every single thing I have is encrypted, to any other pair of eyes except mine. I've got executables that may run on my machine, if I allow them, but I also have tools that make certain that if I've not allowed it, it can never get going so that ransomware can affect me or virus can affect me. None of these things can affect me, even if a hacker can get in. And that's the principle by which I spend a lot of my time discussing security mindsets with other researchers. A lot of my time with the press, trying to get the word out that putting or pushing any of the burden onto individual responsibility, is the wrong way to go. We've got these devices developed by the wealthiest companies in the history of mankind. And they've not ever built the security into it the way they should have. They put us in airplanes without wheels, so we can't land properly."
Another approach that also provides security through thinking about systems rather than individual user behavior is the "zero trust security model." Understanding that model and Jerry's point provide a path to redirecting executives toward the right questions. That doesn't mean that there is nothing left for L&D and instructional designers to do. If the questions can't be redirected, or if the execution of the answers is faulty, there are still things that can be done.
Neil Lasher, cybersecurity expert
Neil's answer to my questions dealt mainly with the need to provide employees with guidelines, education, and rules for dealing with cybersecurity or a breach. But he started with the fundamentals: Where do most security breaches actually happen, and with the problems of dealing with social engineering.
"Our learning management systems and our training programs themselves are actually not very secure or not secure where they are stored. We're using third party systems for learning management systems without really knowing what servers they're on, and they've all got lots of good information in them to be stolen. That's the first side of it. The second side is what should L&D be doing from an education perspective. Now you have a very broad scope.
"96% of the theft from organizations happens from within. People within the organization take stuff out that they shouldn't take out, People are leaving, they take the database of users, all the people they've been dealing with, lots of proprietary information in lots of different ways. There are a number of ways that the company should be looking to close those doors and stop it happening. Data loss prevention is the big key in cybersecurity, where using systems you can actually see what people are doing and block them from doing it as they do it. If somebody copies a paragraph from a proprietary document and tries putting it into their blog, the DLP systems will actually stop them copying and pasting, and they'll get a notice up to say this is proprietary information you're not allowed to do that.
"The education of the staff is a very different side of it. It's about the way that people will click on links on Facebook. Walmart is not going to give you a $1,000 discount voucher because you put your name and details into a form. If you're within an organization, you've got to start training people that there are things you need to look at before you click. There are a whole range of those going on at the moment here in the UK. There's a plethora of texts that are arriving to consumers, say, from the Royal Mail, saying, 'We've got your parcel. There's One Pound 15 Pence to pay. Click here to pay it.' They'll take your credit card details or your name and address and you'll wonder why your credit card's being maxed out within 24 hours. HMRC, Her Majesty's Government site where you pay the taxes, basically will never send you a message to say you're due a 3,000 pounds rebate. Click here to click here to download the form. You download it, the minute you download it, it contains something else. HRMC will send you a letter. And nobody ever gets a 3,000 pound rebate without knowing they're getting it. But there are a whole load of things that we can teach people to look at. We look at the way things are written. There are lots of spoofed emails around where the language is wrong. The government department will not send you an email that has poorly-written English in it. They're normally really very good. You won't get, 'My dearest Bill, you have been awarded a rebate of 3,000 pounds.' That's not how they write letters.
"My brief answer is very simply—every company should have a set of rules as to what you should do if you think some specific things have happened. If you have received an email that you think is phishing. If you think that somebody has access to one of your systems the first port of call should be IT. Absolutely. Get somebody from IT on the phone and say, 'I think I've been breached, I just received an email, I clicked it. I don't think I should have clicked there.' Let them know because they will be able to take it off the network at a click of a button. That stops it going laterally if you picked something up. What you don't want to do is infect everybody else in your office. And then they'll come physically and have a look at your machine and see whether you actually have had something. If you haven't, they'll put you back online again. So that's what should always be your first rule to anybody within an organization, whether in L&D or otherwise. It needs to be brought in some short micro learnings, all around what not to do."
Zarmeena Waseem, Director Cybersecurity Education, National Cyber Security Alliance
What if an organization needs help in dealing with a breach? Who do they go to? Especially a small organization that may not have a defense team, or an incident response team, or an intel team. If a breach occurs and somebody in learning and development becomes aware of it or is the target, what is the right response?
"It depends on the structure of your organization. If there is a defense team or an incident response team, I think those would be the first point of contact. Intel is kind of a backup for defense. So defense and incident response often are corresponding names in different organizations. That would be the team to mobilize as soon as there's a breach.
"Most of the organizations that I have had the opportunity to work at have either had security adjacent to IT structurally, or they have had security under the umbrella of IT. It would be smart to also get the right information and communicate that to the network team, even if you don't have to mobilize them right away.
"I think that the role has always been there, it's becoming more formalized now. It's still a pretty young field. So there's a lot of things that are becoming kind of institutionalized lately, if you will. There's always been a security leader in every organization but the title has usually differed. And now I think the CIO or CSO is becoming pretty popular so that people know that there's a place for security within the C-suite or within executive leadership. And that is an important role.
"For organizations that are, let's say smaller, and don't have someone designated role dealing with information security, who would they contact? There are organizations you can contact depending on what the issue is or the type of event. There are pages and resources. For example, Google has a Report Spam or Report Phishing feature in Gmail now. The FTC has a page for reporting fraud. And depending on the scale of the event, if local law enforcement or the FBI need to be involved, that is something as well.
"That's the hard part. I think, in a lot of industries, and also in security, that the answer is always going to be, 'It depends.' The smartest thing we can always do is take preventive measures, instead of having to put out fires afterwards. Proactive security, rather than reactive security, is always the goal for any organization that is security conscious. And that usually means that there should be a huge push for training and education.
"The National Cyber Security Alliance is here to support those needs, in whatever way we can. We're here to answer questions or guide people in the right direction if they need other resources. Readers can visit staysafeonline.org. We share tons and tons of programming and resources, also on our social media pages, especially Twitter, LinkedIn, and Facebook. We also have a YouTube channel (StaySafeOnline1) where we keep all of our webinars and other information. So there's a treasure trove of information out there. And our general email for questions is info@staysafeonline.org."