Training staff to be wary of a cyber threat is not a clear-cut job
Gorodenkoff | iStock | Getty Images
As industries reel from a spate of high-profile cyberattacks, companies are looking for outside help in making sure their staff are up to speed on the latest threats.
James Hadley, the CEO of Bristol-based tech start-up Immersive Labs, said it’s difficult to ensure staff charged with protecting their companies’ systems are ahead of ever-evolving threats.
Hadley was a cybersecurity instructor at the U.K.’s intelligence service GCHQ before he started Immersive Labs to bring his training skills to corporate clients.
Its platform uses gamification tactics, constantly updating data on new malware threats and simulated attacks to train people in best responses rather than the traditional style of a training course.
“That [courses] takes a lot of time and it dates very quickly,” Hadley told CNBC. “There’s always new attacks and tools coming out all the time so how do we keep this skill up to date?”
Immersive Labs targets its platform at people working in technical roles day-to-day like app developers and executives that may have to lead responses to incidents.
He said he has seen an uptick in queries from companies that are spooked by cyberattacks like the ransomware that hit the Colonial pipeline.
“We’re seeing increasingly a market ask for the crisis simulation decision-making. Our cyber crisis simulator, which puts people in the hot seat of making decisions during a ransomware incident, is becoming the sharpest arrow in our quiver.”
But Immersive Labs is focused on training people working in already technical roles. That leaves many other professionals in companies whose workflows and habits can be gateways for cybercriminals.
A survey conducted recently by cybersecurity firm Arctic Wolf found that 73% of small and medium sized businesses in the U.K. believe their staff are ill-equipped to respond to a cyberattack.
“At the end of the day it’s true that people are the weakest link in cybersecurity,” Avi Shua, CEO of Orca Security, another cybersecurity company, told CNBC.
Working from home has opened up the attack field in a company further where people are using their own devices or chat apps like WhatsApp to stay in touch with colleagues.
This has strengthened the need for greater cybersecurity awareness among employees but Shua said it’s not as simple as that.
“Definitely we need to invest in training but I think we can’t rely on everybody being cyber conscious all the time. I think that relying on that will fail,” Shua said.
“I’m in the cybersecurity industry so I think of cyber every day,” he added, but noted that staff in accounts, HR or other roles are busy with their own daily tasks.
“If I’m an accountant, I can’t think at every moment whether the communication that I’m having is (secure). If this is your strategy, it will fail.”
“(Training) will improve an organization but I believe an organization must put more emphasis into tools that will dramatically help their employees to distinguish between legitimate communication and illegitimate.”
Alan Woodward, a cybersecurity expert and professor at the University of Surrey, said that focusing on training people in non-technical roles to be more cyber aware tends to put too much of an onus on people.
“The big problem about educating people, it tends to be a one-off exercise and we’re all human, we all forget and the criminals are very clever in the way that they socially engineer us,” he said.
Both Woodward and Shua said that the correct approach is a combination of technical solutions for detecting threats and implementing human processes for staff to follow but not relying on one over the other.
Woodward added that companies need to be wary of cyber snake oil salesmen emerging after major attacks like that on Colonial that are promoting training or other tools that promise protection.
“It’s a bit like dealing with anything online really. All you can do is look them up, do your research, do a bit of due diligence on them,” he said.
Ransomware is the biggest threat currently “by a country mile,” Woodward said.
With Colonial paying $5 million and JBS paying $11 million to recover their files, a company in a similar ransomware bind will be struggling with the question of whether to pay.
Immersive Labs’ Hadley said that as a cybersecurity professional his stance is to never pay as this only motivates cybercriminals to continue their misdeeds, but acknowledged that businesses in that situation may feel they have no choice.
When a company is hit by ransomware, having effective back-ups is one method of getting back up and running. But back-ups can’t be left idle either, Hadley said, and companies should regularly check that these back-ups are functional and easy to restore so if disaster strikes, they can be relied on.