Cybersecurity Awareness Month: Building trust in an evolving threat landscape

October is Cybersecurity Awareness Month and a great reminder of the importance of protecting the information with which we are entrusted. Data protection and cybersecurity are top of mind for consumers, employees and business executives when they define trust*. For CEOs**, the increasing number and complexity of cyber attacks globally require a strong, security focused culture. Security awareness is integral in enabling organizations to manage financial and reputational risks in this evolving threat landscape — and we should provide our teams with the tools and understanding of why and how they play a critical role in cyber readiness. 

Cyber attacks are happening more frequently and in new ways 

It’s not a matter of if a cyber attack will be attempted, it’s how and when. Organizations today should be cyber-ready not only in the areas of traditional security capabilities and technologies, but also by building a security aware culture. Security awareness programs tend to focus on email-based cyber breaches because it continues to be a major channel for phishing and malware delivery attacks. But email isn’t the only channel. Today, cyber attackers attempt other methods such as blackhat Search Engine Optimization (SEO) to capture top results in search engines. They also work to compromise newer company communications platforms beyond email, like business messaging apps, to leverage personal information such as name, title, hobbies, associates at work, professional associations, and more.

Be proactive, not reactive, by investing in role-specific security awareness training 

Today’s cyber challenges are unlike anything we’ve experienced before. They require something more than the expected.Traditional security awareness training alone will not prevent cyber threats -- it should be paired with more strategic, role-based training. There has been a rise in personalized social engineering and phishing attacks that target individuals based on their specific role or function. Cybercriminals can increase their return on investment by compromising the digital identities and accounts of staff who have elevated system access (e.g, IT administrators) or specialized application privileges (e.g., payment processing). An attacker can highly personalize a social engineering scheme by scouring publicly available data on social media. What you post on professional networking websites or apps about your profession, role, responsibilities, and the technologies you use each day, are all things that an attacker could use to make a phishing attack more effective.

Business Email Compromise (BEC) affects virtually every professional. For example, cybercriminals target legitimate email accounts of payment approvers and then trick recipients into paying an invoice. In addition to BEC, with many organizations adopting the cloud, administrators of cloud environments are targeted due to their elevated access to cloud infrastructure.  It is paramount that these personnel sufficiently protect privileged accounts using controls such as multi-factor authentication. Other potential targets may include recruiters or customer service professionals, as they tend to interact more with the public and could unknowingly divulge valuable organisational information to an attacker. These are examples of some role types that may require tailored security awareness training.

Frequent, fresh role-based training prepares employees in various functions to quickly identify and respond to threats. Training that mimics very real scenarios is critical to helping individuals understand the types of risks and attacks they might face. In doing this you help keep your organization safe and most importantly, you keep your stakeholders’ and customers’ trust, too. 

Thinking long-term for a secure future

Think about the direction your organization is heading to remain an industry competitor in the future, and make sure you continue to embed security into your culture. Consider how you will take action:

• As new technology and business processes are introduced, what potential social engineering threats could arise along the way? 
• Do your staff understand and use available cybersecurity tools? 
• Do you offer risk mitigation and risk management training sessions to prepare staff in the event of a cyber event?
• Is your organisation regularly introducing refreshed security awareness training for all end users? 
• Do your end users know how to recognise a suspicious event and how to report it?

Be proactive with your people to prepare them for the future and be cyber-ready, today.

*PwC’s Trust in US Business Survey

**PwC’s 24th Annual CEO Survey