Many people believe that cybercriminals are hiding in dark basements, covered by masks, and invading large companies to gain fame and recognition. However, over the years, cybercrime has become a very profitable business.
In 2021, my company Terranova Security celebrates its 20th anniversary, working with organizations to help change behavior and reduce human risks by combining education and technology.
If I have learned one thing in the past two decades, it is that cybercriminals regard cybersecurity as a business. Therefore, organizations need to treat cybersecurity awareness as a basic business requirement, and training must be as dynamic as the threat landscape it responds to.
A well-thought-out cyber security awareness program that is regularly reviewed can prepare organizations, security leaders (and most importantly, their employees) for cyber success.
In this article, I will review the origins of the field of cyber security awareness, analyze the changes in the threat landscape over time, and share some predictions on the next development of the cyber security awareness landscape.
Cybersecurity awareness? what is that?
By 2001, I had been in technical work for some time, and I asked my contacts in the technical field what was missing. Someone told me that they have received a lot of technical training, but there is no security awareness solution for users. Therefore, I decided to conduct training to fill this gap.
In 2002, the biggest cyber threat facing the market was computer viruses in the form of worms. These viruses are independent malware programs that can be replicated and spread to other computers. Twenty years ago, the main goal of cybersecurity awareness was to introduce users to these threats. We developed a one-hour course module explaining email viruses and how to avoid dealing with chain letters and fraud.
During these growing years, early adopters in the banking and insurance fields realized the need for training. However, it wasn’t until 2015 when Gartner first released the Magic Quadrant for Cyber Security Awareness that cyber security awareness as a service really took off. Prior to this, the organization focused mainly on the technology and process of eliminating cyber threats, rather than focusing on the human factors of cyber security.
The evolving cyber threat landscape
Between 2005 and 2011, the number of people using the Internet surged. As more services go online, more opportunities for cyber attacks have sprung up. With the advent of phishing, our top priority in raising awareness has shifted and grown. At the time, we were teaching people how to use the Internet safely, online banking and shopping, and using social networks, as well as ways to identify signs of phishing websites.
Fast forward to today; things are different. Phishing is a mature (and highly profitable) business run by professionals. Now, we are training the organization and its employees, subcontractors, suppliers and educational institutions to make them aware of the eight threats of phishing, understand its consequences and learn best practices. We will also train users on other network security methods, such as password protection, use of secure Wi-Fi, privacy, etc.
By changing behavior, our customers have achieved great success. However, those who do not have a dynamic network security awareness program are still surfing the Internet to browse evil content. Our annual “Phishing Tournament” (which was held for 11 days with Microsoft during Cyber Security Awareness Month in October) showed that if 26% of North American employees receive an email, it will become a phishing email Victims, and 68% of employees will provide hacker credentials.
Looking to the future
What will cybersecurity and cybersecurity awareness look like in the next few years? I expect threat actors and their methods will change, and cybersecurity awareness will become the core business pillar of all organizations. Some people may still not understand the real threats they face. Some people may think they are too small to be attacked, while others may see cybersecurity as an IT or security issue rather than an organizational issue that affects everyone.
I predict that organizations will continue to invest in technology to help prevent cyber attacks, and they will also see value in providing better, more consistent training. Security directors will recognize that offering annual courses or information packages to new employees during the onboarding period is simply not enough. Organizations will recognize the importance of using the right methods to train the right people on the right cybersecurity topics at the right time.
Although cybersecurity poses an increasing threat to global organizations, it has a familiar solution: human knowledge. By making cybersecurity awareness a top priority for businesses, allocating budgets for it, and creating vibrant “cyber heroes”, organizations can thrive in today’s online world and prepare for the rapidly changing online environment that follows.
Lise is recognized as an innovative entrepreneur, visionary and leader. In the past 20 years, he has devoted himself to network security and has been in the technical field for more than 30 years. In 2001, she founded Terranova Security, one of the first companies in the world to focus on…