The Silver Bullet in the War Against Cyberattacks

Updated as of 3.15.2021

As seen in the Boston Business Journal

In the battle against cybercriminals, there is no singular solution that can fully protect us from the relentless barrage of attacks on our personal and corporate data. Companies of any size, in any sub-industry or specialty area, are at risk. There is, however, something that is affordable, extraordinarily effective, and the closest thing to a cybersecurity silver bullet that exists in today’s world. That secret weapon is cybersecurity awareness training, and it is one of the greatest deterrents against the onslaught of attacks that plague both individuals and corporations alike.

In order to understand why training is so critical to defending digital assets, it is important to understand how most modern attacks occur. In the not-so-distant past, attackers would attempt to battle their way through firewalls and intrusion detection systems to get to a victim’s data. However, these attacks were very time-consuming and increasingly thwarted by ever-improving defensive technologies.

At some point, attackers realized that they needed a new approach to stealing information, so they adopted the nefarious tactic known as social engineering. This is when attackers bypass technological fortifications and instead attempt to deceive end users into doing their bidding, a strategy that now initiates over 90% of data breaches and malware deployments.  

Pretending to be a contact we know is one of the most common social engineering strategies employed by villainous attackers and can be delivered by email (phishing), text (smishing), or voice (vishing). Gone are the days of easily-identifiable phishing emails (e.g., a kind prince asking for a small loan), as attacks are now laser-focused messages that appear to originate from a trusted source.

A frighteningly significant number of individuals are fooled by these deceitful and malicious attacks, resulting in a spate of ransomware infections, fraudulent financial transactions, or compromised sensitive information. 

With social engineering attacks lurking within our inbox, it quickly becomes evident that education and awareness are paramount to keeping us safe – empowering employees with the ability to detect and avoid attacks. While there is no magic formula for creating the perfect training solution, here are some best practices that can give training programs the greatest chance of success.

• Develop training that is accessible to the entire team, as companies have employees that exist on each end of the technological-sophistication spectrum. Distill complex concepts down to easily-digestible bullet points that can be grasped by everyone, regardless of whether they are technically savvy or not.
• Streamline the training to encourage retention and avoid information overload. Anything longer than 20 minutes may cause many employees to grow bored or become overwhelmed, limiting their ability to absorb and retain key concepts.
• Deliver on-demand training as opposed to training programs delivered live and in person. While live training sessions have their advantages, it is not cost effective to have a trainer deliver the content every time a new employee comes onboard or when someone needs a refresher course. On-demand training also eliminates the logistical challenges associated with employees who may be unable to travel to the office, providing them with flexibility to receive training when and where it is most convenient.
• Update the training as new threats are identified. Cybercriminals are constantly refining their methods of stealing information, so be sure to refresh the content on a regular basis. For example, the pandemic has led to attackers employing new Covid-based attack strategies, so be sure to incorporate examples of the latest threats.
• Include a quiz after the training to ensure key concepts are being retained. The risk of users investing only a fraction of their attention to the training is very real, so utilize a set of questions to confirm that critical information was absorbed.
• Augment training with a spear-phishing campaign to gauge awareness. Adopt a “trust but verify” approach and simulate phishing attacks to confirm the training was effective. Require additional training for employees who were unable to identify malicious emails.

Social engineering attacks are the weapon of choice for cybercriminals and difficult to stop with technology alone. Educated employees who have been armed with awareness through cybersecurity training create a virtual “human firewall,” greatly increasing the chances of repelling social engineering attacks and keeping the company safe and secure.

To learn how Citrin Cooperman can assist your company with developing an affordable, customized training program, contact Kevin Ricci at kricci@citrincooperman.com.