Organizations have been urged to place a greater focus on ensuring that the cyber security training they deliver is translated into actual behavior change among staff.
Leading cyber security experts and a career criminal addressed delegates at Dell Technologies World 2023, saying that raising cyber awareness across the business is not enough to enact useful change.
Oz Alashe MBE and CEO at risk management firm Cybsafe, veteran security journalist Kim Zetter, and famous former con artist Frank Abagnale all agreed that individual behavior can make or break an organization’s cyber posture.
Zetter used Mandiant’s Henna Parviz, a security analyst who spotted the first indicators of the Solarwinds attack.
It was Parviz who in November 2020 noticed a Samsung phone had been registered to an employee without a phone number, and that it had been used to log into the employee’s virtual private network (VPN) from a different state to where the employee was based.
What she had discovered was the first concrete clue of the Solarwinds breach, led by a standard security alert that Zetter stated a less-fresh, “more jaded” analyst may have disregarded entirely.
Alashe said that the main question that goes unasked in board rooms right now is: ‘Is what we’re doing working’ and noted that this also forces firms to consider what their goals are.
He pointed to a need for small and medium businesses to feel motivated and empowered to take care of cyber security, and for large businesses to govern cyber security at a board level with the same clarity as other risks.
“It’s not knowledge vs behavior change, that’s not what I’m saying at all,” he told ITPro.
“What I’m saying is that knowledge doesn’t equal behavior change, and if we’re not changing behaviors we’re not reducing risk.”
“I know I shouldn’t eat as many packets of crisps as I do and I’m going to do it. If I’m going from A to B, I don’t want someone to teach me how to read a map, I want my phone to help me ‘go down the road and turn left’.
AI’s influence on cyber security
Alashe also pointed out areas of innovation that will demand a change in behavior from employees, such as the threat posed by real-time deepfakes or generative AI.
Although AI has driven a surge in social engineering attacks, with text-generating chatbots such as ChatGPT or Bard allowing attackers to craft sophisticated emails, firms could also use generative AI to protect against phishing.
While machine learning (ML) algorithms can be used for positive processes such as identifying behavioral weaknesses, Alashe said this could also be turned on its head by attackers to better identify prime targets for social engineering.
It is in light of this that he has called for a focus on behavioral change over a purely educational approach to cyber security.
“It is a constant game of cat and mouse, this idea that we would get to a point of knowledge and education – or indeed behavior nirvana – is just not true,” said Alashe.
“Ultimately as technology evolves, and as criminals find new ways of using this technology to steal or gain access to things that they shouldn’t have access to, we will need to evolve the things that we do and the behaviors we exhibit to get around them.”
Perspectives on the future of security
Abagnale stressed that criminals are the same as they have ever been, but are increasingly in possession of more sophisticated tools.
“What I did 50 years ago as a teenager is 4,000 times easier to do today, and with AI it will be 5,000 times easier in the next few years,” he said.
Despite the growing threat, Abagnale praised the growing trend of companies abandoning passwords for passkeys, as Google has done recently.
All three speakers were also jointly optimistic about the potential for canny users and improved technology to bring down risk in the near future.
“There will come a time when virtually every single device considers the user, and the people using them, and therefore gives them the help and support they need,” Alashe said.
“We no longer have to rely just on training and education, we can actually give you the persistence and influence what they actually do. It’s a better and more scientific way to be, it’s a more data-driven way to be. And our people deserve it.”