In honor of National Cybersecurity Awareness Month, we sat down with some of our security experts to talk about their experience raising awareness in the industry and implementing cyber training. Read the interview to get their thoughts and some inspiration regarding your own security awareness program. Interviewees included:
- Erik Bartholomy (EBA), LogRhythm security architect
- Eric Brown (EBR), LogRhythm senior security analyst
- Christa Burger (CB), LogRhythm senior security analyst
- Zack Rowland (ZR), LogRhythm strategic integration engineer
Q: October is National Cybersecurity Awareness Month. Founded in 2004 by the Department of Homeland Security, this month encourages individuals, businesses and other organizations to consider “Our Shared Responsibility” to do their part to protect data from cyberthreats.
How do you believe this mission has changed in the last 15 years? What new considerations should be factored in?
EBA: The cybersecurity mission is really a two-way street. Both the organization and its employees share accountability. Employees need to not only avoid clicking on suspicious emails, they must also report these emails to their security team so they can be resolved.
It’s important to understand the “why” of this mission. People once participated in cybersecurity training or adopted some of the learned practices simply because they were told to do so to protect company data and assets. Now, people understand they shouldn’t just adopt strong cybersecurity practices to benefit their company or comply with governance rules. This behavior helps protect data outside of the office as well. And that understanding is the driving factor that changes behavior.
ZR: User awareness is high on the list of new considerations. For example, at LogRhythm, our employees remain on high-alert when it comes to email. As such, they flag suspicious emails as possible phishing or spam. This kind of caution is beneficial in the long run. The employees flagging emails don’t all come from the IT department; individuals across the organization are adopting this practice. User awareness and cybersecurity are becoming engrained in our culture.
CB: This isn’t just something that is only beneficial at work. There used to be a lack of awareness around what could happen without cybersecurity awareness. But now, more people know what could happen during a breach, but still tend to assume that it won’t happen to them. The fact of the matter is that corporations aren’t the only ones susceptible to cyberattacks; they can just as easily affect you at home — particularly ransomware. It’s a different kind of awareness than when it first started. As people know, this could potentially happen. This can equally affect you at home.
Q: As a seasoned member of a security team, what do you believe are some of the biggest challenges when it comes to security awareness and educating users on how to stay safe online and to not fall victim to threats?
CB: A major challenge is the extent of complacency when it comes to security. Some are tired of hearing about it, but those people don’t understand just how high the stakes are in securing data. So much data is out there whether it relate to your company or even your personal life. The potential compromise of all that data really raises the stakes.
People even access their bank information on an unsecure wireless network with which their phone randomly connected — even though they know better.
EBR: It really is the complacency. Today, people don’t just work on their computer, they also use their cellphones. Companies are trying to make the user experience easier, better, and faster with mobile applications. People are relatively aware that a computer can get a virus, but they don’t apply that same logic and caution to mobile devices. They need to change their mindset. It’s common to use mobile banking apps, but most don’t consider that their phone could be hacked, and this data could be at risk.
EBA: Another challenge is how easy it is to compromise data. For example, modern tech companies try to make it easy to consume their product, but often they don’t think about how that affects your enterprise’s security. With one click, you could allow that service provider to have access to all of your data and they can use it for other purposes — even if you didn’t intend for your data to be used in such a way.
EBA: Another part of it is that you’re asking people to do additional work. At the end of the day, people realize the benefits of completing cybersecurity training, but it still comes off as additional work that is not calculated into their job responsibilities.
Q: We know that there are considerable skills shortages in the security space. How do you believe education and training programs directed to college-age students and younger will help to address the gaps in cybersecurity awareness in the future? Do you have thoughts on what more could be done?
EBA: How do you find the talent to fill the void? It’s a tough question. The issue is, you need people who are inquisitive and find this field interesting. It’s hard to find young people that are interested in security and compliance. Because at first glance it’s a dry topic, but it’s so important.
ZR: Most people I know in security do not have computer science degrees. In fact, I have an art degree.
EBA: Code is art. A lot of cybersecurity is creative work. The people that can follow directions very well but aren’t creative will sink in this industry. The threat landscape is always changing, and tools are always trying to catch up. You must be creative enough to outthink the hacker.
CB: Our generation didn’t have access to cybersecurity education immediately. We grew up learning it. The students who are learning it today already speak an entirely different language around technology. Keeping up with a changing landscape is second nature. They were born with it. If you can harness that ability and that talent with a really engaging cyber curriculum that also makes it highly applicable, then you have a workforce that can actually change the dynamic around how cyber awareness works.
Q: What are some of the biggest and most common cybersecurity awareness gaps you have seen in your career? (e.g., phishing, safe surfing, etc.)
ZR: Phishing. Even an experienced user can fall victim.
CB: What about password creation? It’s not necessarily about the complexity of the password; it’s about the length.
EBA: Not only do you need lengthy passwords; you must also have a unique password for every site you use. The only way you can really accomplish that is through a password manager. But be wary. Even password managers can be breached.
CB: Using “passphrases” is a good rule of thumb. But you’ll need to remember those passphrases and hope the industry standard follows suit. We’re implementing a password phrase policy at LogRhythm. However, your bank for example, might have different criteria for creating a password or might not support the length of your passphrase. So, even as you try to implement safer password practices, the industry might impede your efforts.
EBA: Two factor authentication (2FA) is an absolute must. In fact, NIST recommends implementing both a lengthy password and 2FA.
ZR: Be careful when using a password that never changes, such as your fingerprint or retinal. Once that information has been compromised, it’s out there forever.
EBR: While 2FA reinforces your security and mitigates weak passwords or easily compromised accounts, be warned. Hackers can still get in.
Q: What value do you think cybersecurity awareness programs provide? Are there any anecdotes you can share that show the worth of devoting resources and time to educational programs?
EBA: Most people want a silver bullet to security and are willing to pay a great deal for the most complex solutions out there. However, the one thing that can arguably do the most good is a strong security awareness program. You’ll get the biggest bang for your buck.
CB: If you have a really effective cybersecurity program, you’re changing peoples’ ways of thinking and responding. An effective program will tap into that; it won’t just check boxes with a training or two.
Q: In your experience with educating users in your organization, what tactics or programs have you seen work well in practical application?
CB: Applying it to everyday life as opposed to only applying security to a corporate environment. People understand and connect better to it.
EBR: Phishing emails are a big threat. And LogRhythm has a strong awareness program that helps combat them. We send out mock phishing scenarios and try to teach our employees to think: “Was I expecting this email?” Let’s say you get something from PayPal, you need to stop and consider if you actually have a PayPal account. If you get a message about a package from FedEx, try to remember if you placed an order or were expecting a delivery. If your answer is no to any of these questions, these emails are a major red flag. Phishing tests help you keep users aware and get into the practice of reporting a phishing email when the real thing comes in.
EBA: Displaying security awareness posters around the office has really bolstered our awareness program.
Q: In your opinion, what does it mean to be a good “cybercitizen”?
EBA: Being a good cybercitizen is evident in everything you do. You need to always think about security first. When you drive a car, you think about safety first and this same mentality can be applied to the way you think about your data. Keep in mind, security isn’t just protecting data — it’s protecting reputation and profitability. It also helps you at home and outside of work.
EBR: A good cybercitizen is a little bit smarter, without being paranoid. Be cognizant of your actions. Between online banking, social media, and more, you’re putting a lot of information out there. You need to be aware of the possibility that all of this information can be compromised and keep that in mind when you upload personal data to various applications.
CB: It’s all about awareness. Companies often want your data because it can better help them market to you. Handing out your willingly is fine, just know what you’re okay with being out in the public. You may want to give your data to an advertising agency to let’s say figure out that your personality equates to that of sourdough toast and that’s okay. Always bear in mind: These companies probably aren’t that interested in learning too much about your personality test results, but instead want you to click a button giving them access to your data. This access might not be a huge threat, but most people aren’t aware of what they’re authorizing. A good cybercitizen just needs awareness.
What challenges have you come across when implementing security awareness programs? Comment below.