How cybersecurity training can break the cyber impact chain

By Matt Lindley, COO and CISO at NINJIO [ Join Cybersecurity Insiders ]
399

The financial impact of cyberattacks has increased dramatically in recent years – the cost of data breaches recently hit an all-time high, companies have made large ransomware payments, and the process of getting systems back online and restoring operations is expensive. These direct financial consequences are what usually come to mind when companies evaluate the cyberthreats they face – but they’re only part of the story.

There are many other links of the cyber impact chain that companies must consider: damage to their reputations, lost customers and future business, consequences for vendors and other partners, legal and regulatory liabilities, and systems outages that make life difficult (if not impossible) for employees. At a time when social engineering is a major source of cybercriminal intrusion, cybersecurity awareness training plays a critical role in insulating companies from the cyber impact chain. Awareness training gives all employees the knowledge they need to prevent and contain cyberattacks, which can drastically reduce the extent of the cyber impact chain.

Everyone is responsible for cybersecurity, which is why an awareness training program provides distributed defenses across the entire organization. Well-trained employees know how to identify, report, and react to cyberattacks quickly and effectively. This doesn’t just minimize the damage caused by these attacks across the cyber impact chain – in many cases, it breaks the chain at the first link by preventing an attack altogether.

Reframing the consequences of cyberattacks

Cyberattacks are becoming more financially destructive all the time. According to IBM, the average cost of a data breach rose by over 15 percent between 2020 and 2023 – to $4.45 million globally, a number that almost doubles in the United States. The report also found that it typically takes 204 days to identify a breach and another 73 days to contain it.

However, the word “contain” can be misleading. It’s often impossible to fully appreciate the consequences of a cyberattack, as stolen data can resurface on the dark web years later and the full impact on the business can be difficult to quantify.

For example, consider the reputational consequences. At a time when 86 percent of Americans say data privacy is a growing concern and over two-thirds are worried about the amount of data being gathered by businesses, 70 percent of business leaders say they’re increasing consumer data collection. When this data is stolen, it can severely damage trust, cause customers to flee, and prevent the company from attracting new business. Data breaches can also expose companies to costly operational disruptions, lawsuits, regulatory crackdowns, employee burnout and churn, severed relationships with third-party partners, and other consequences.

Companies sometimes even become synonymous with cyberattacks – who can think of SolarWinds or Colonial Pipeline without remembering the massive cyberattacks both organizations suffered in 2020 and 2021? It’s no wonder that companies are increasing their investments in cybersecurity – as they develop a deeper understanding of the full cyber impact chain, the necessity for robust cyber defenses becomes clearer every day.

The human element in the cyber impact chain

The majority of cyberattacks rely on the deception and manipulation of human beings to gain access, steal data, and disrupt secure systems. According to Verizon, nearly three-quarters of all breaches “include the human element.” This means companies must decide whether they want their employees to be their biggest cybersecurity liability or their biggest asset. As social engineering attacks surge, cybersecurity awareness training is one of the most cost-effective ways to keep the company safe and limit the extent of the cyber impact chain.

IBM reports that the presence of a “security skills shortage” drives up the average cost of a data breach more than just about every other variable. Meanwhile, employee training mitigates this cost more than almost any other factor – including data security software, encryption, and insurance. There’s no clearer evidence that employees can either keep the company and its customers safe or pose a grave threat.

Good cybersecurity awareness training focuses on the psychological vulnerabilities that cybercriminals exploit to infiltrate an organization, such as fear, obedience, greed, opportunity, sociableness, urgency, and curiosity. These characteristics vary from employee to employee, which is why that training must offer personalized assessments and instruction. Effective awareness training reinforces employees’ strengths while addressing their weaknesses. By focusing on the basic psychological factors involved in cyberattacks and using real-world examples of the latest cybercriminal tactics, these programs improve employees’ performance over time and help them adapt to shifts in the cyberthreat landscape.

CISOs and other members of the security team must think about the cyber impact chain in terms of cause and effect. When they show employees the vast range of real-world consequences of cyberattacks, they will clearly demonstrate why awareness training is so vital. And when they demonstrate how cybercriminals launch these attacks with social engineering tactics like phishing, they will empower employees with the knowledge they need to identify and thwart attacks in progress.

Limiting the scope of the cyber impact chain

To appreciate the potentially devastating scope of the cyber impact chain, look no further than the recent cyberattack on Change Healthcare. The attack caused a massive shutdown of over 100 systems, which cut off payment processing to hospitals, clinics, and healthcare organizations across the United States. A survey of hospitals found that 60 percent were losing more than $1 million per day in revenue, and the impact on patient care has been immense.

Cyberattacks like the Change Healthcare breach should be a blaring warning that companies remain too vulnerable to increasingly sophisticated and motivated cybercriminals. While information about what caused the Change breach is still coming in, we know social engineering has been used in a large proportion of recent breaches. For example, a major phishing attack on MGM Resorts started with a single phone call to the IT team – hackers posed as an employee who had been locked out, acquired login credentials, and launched an attack that shut down an array of MGM operations and systems.

Phishing and stolen credentials are the most common initial attack vectors, which means hackers are heavily reliant on social engineering in the earliest stages of the cyber impact chain. While employees can sometimes detect phishing attacks by noticing errors in messages or strange speech patterns on the phone, AI will make this far more difficult. Cybercriminals can use AI to generate convincing and error-free phishing messages and follow up with deepfake impersonations that victims will struggle to identify. This means employees must be trained to detect and report more sophisticated attacks – an approach that can complement other cybersecurity solutions by showing employees what resources are available to them.

The cyber impact chain often extends far beyond the payment of a ransom, disrupted operations, and other immediate costs. Cyberattacks can have sweeping, long-term consequences for companies – from a loss of customer trust to employee turnover. With the prevalence of social engineering at the heart of these attacks, cybersecurity awareness training remains one of the best ways to mitigate the full range consequences – or to avoid them altogether.

Ad

No posts to display