Magazine menu Close Magazine menu

Cybersecurity training

Latest stories

financial times report cybersecurity skills

Why successful companies invest in cybersecurity skills

  • min read
    • Arming your cybersecurity team with the right skills and experience is a crucial first step in facing down threats. In partnership with Longitude, a Financial Times company, Kaspersky surveyed 750 leaders at enterprises around the world about their approach to cybersecurity. The research found a small group of companies strongly believe their cybersecurity training programs can keep pace with the ever-changing threat landscape. Dubbed the Skills Leaders, these businesses have better security outcomes. About three-quarters (74 percent) say they're prepared for employees accidentally creating a cybersecurity threat – such as falling for a phishing scheme – compared with only half (49 percent) of the rest. This is good news, because cybersecurity skills are in short supply. In 2021, Microsoft announced the US is facing a cybersecurity skills crisis, citing that more than one in 20 of all open jobs in the country require cybersecurity skills. In the same year, research by Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) found 95 percent of cybersecurity employees globally believe the skills gap has not improved in recent years. Our research found one-third (34 percent) believe this shortage will get worse in the next two years. But the Skills Leaders are a small group — just eight percent of the research sample. How can more organizations follow their lead? Three ways to upskill your workforce in cybersecurity 1. Train everyone, not just IT It's not just the cybersecurity team that should be on constant alert for threats. Employee-wide updates and reminders help make security part of company culture. "People need to keep their software up to date, understand how to encrypt their internet traffic and not use public Wi-Fi," says Shawnee Delaney, CEO of US-based insider threat specialist Vaillance Group. "These are general cyber hygiene practices, and they're critical. Reducing human error is crucial. Technology researchers Gartner predicts that by the end of 2025, more than 99 percent of cloud breaches will arise from preventable user misconfigurations or mistakes. One way to reduce these errors is to introduce cybersecurity 'tests' to see how employees respond to threats and increase training for those who fail them. This is what Ricardo Lafosse, Chief Information Security Officer (CISO) at Kraft Heinz, does. "It's probably one of our best ways to see whether a malicious actor could mislead our employees and get into our organization using phishing techniques," he says. 2. Update your coaching techniques Training must also move with the times to keep up with the evolving threat landscape. The Skills Leaders identified in the research seem to understand this. They're more likely to be forward-thinking with their training. About two-thirds (67 percent) say it will be very important to carry out immersive cybersecurity training (gamification and simulations to recreate real attacks) in the next two years, compared with less than half (49 percent) of the rest. "Cybersecurity training is often perceived as a formality, but one-off training is not enough," says Evgeniya Naumova, Executive Vice President of Corporate Business at Kaspersky. "Behavioral change won't appear with the wave of a magic wand. It takes commitment and practice for acquired skills to become habit. Continuous learning is especially important for enterprises to prepare teams for the evolving threat landscape." Staying up to date also means being able to change strategy fast. To combat new threats as effectively as possible, Kraft Heinz's Lafosse prioritizes agility and flexibility in his cybersecurity team. 3. Put cybersecurity at the heart of recruitment Upskilling in cybersecurity will inevitably involve addressing the skills gap. And that could force companies to take an innovative approach to recruitment, like hiring candidates with non-IT backgrounds. The research found the Skills Leaders are more likely to embed cybersecurity awareness in their recruitment and onboarding processes, stressing the need for high cybersecurity standards from the start. Enterprises with a multinational presence must ensure they approach cybersecurity consistently across their global operations. It only takes one cyber threat in one region to potentially wreak havoc across the whole organization. The skills gap is a big challenge for enterprise cybersecurity teams. To be protected against the full range of evolving threats, enterprises must do all they can to fill it. That means expanding recruitment, preparing their existing workforces by keeping them abreast of changes and training them right from the start. This content was paid for by Kaspersky and produced in partnership with the Financial Times Commercial department.
identity theft university

How one university’s stolen student IDs caused a crime wave

  • min read
    • Cybercriminals see education as an amazing opportunity. But they're not taking classes or gaining qualifications – they target universities and other educational institutions for the wealth of personal information they hold. In Tomorrow Unlocked's video The Backdoor into Campus, Royal Holloway, University of London cybersecurity experts talk about how a major identity theft incident on campus happened and how they're working to keep students and staff safe in future. How educational institutions are attacked Universities and colleges often have many people using their systems, like staff, students and visitors. They also offer many kinds of services online. Mike Johnson, Chief Information Officer at Royal Holloway, University of London, describes a recent security incident. "A staff member's credentials were stolen and used to send convincing offers of part-time work to students. Some students undertook the work and were paid. But they were overpaid, then asked to return some of the money. It was money laundering on a significant scale." Why cybercriminals love stealing identities "Commonly, we find those who try to attack us are looking to harvest identities," says Johnson. "When they've got them, they'll try to harvest more until they're sure they can attack us in the way they want to." Education can stop attacks on education It's all about authentication, says Keith Martin, Professor of Information Security at Royal Holloway, University of London: Knowing the person trying to access something online is the person they say they are. "Imagine a front door. Whoever has the key can open it. To breach that, you need to get hold of the key. Entering a country is more high security: Border control looks at credentials like a passport and the person submitting it." Professor Martin continues, "In cyberspace, it's a bigger problem because we can't see who's asking for access. The most popular authentication is a password, but passwords are like keys – easily copied or stolen. So we need to use the passport model – asking for multiple things to gain access." That's called multi-factor authentication. You'd need more than a password to gain access, such as a code sent by SMS or biometrics, like a fingerprint. Senior security researcher at Kaspersky, Noushin Shabab, says for the best security, multi-factor authentication should combine biometrics like facial recognition with another credential. Developing 'cyber common sense' in education Professor Martin says the most important thing anyone can do to keep their identity safe is to develop 'cyber common sense.' "Hesitate before doing anything in cyberspace – if you're sent a link or a message asking for information, ask, why do they want this?" Johnson feels education institutes are perfect places to learn cybersecurity awareness. "We've got to be willing to have a conversation with students about digital security and what protecting their identities means. We're educators – we're well placed to help people operate in an environment they'll operate in for a long time."
cybersecurity champions

Cybersecurity champions could be your secret weapon in raising employee cyber-awareness

  • min read
    • Now that organizations rate cyberattack as their biggest risk, cybersecurity needs to be everyone's business – not just the IT department's problem. A cyber-secure work culture will make businesses more resilient to threats. Employee behavior is one of the biggest factors behind cybersecurity incidents. Change how your employees understand cybersecurity with a cyber-aware work culture, and you'll substantially reduce the risk of compromise. One way of raising cybersecurity awareness at work is through a cybersecurity champions program. Technology researchers Gartner found although fewer than 10 percent of organizations had one in 2017, they forecast 35 percent would have a cybersecurity champions program by 2021. Why cybersecurity champions change business culture Lena Smart, Chief Information Security Officer (CISO) for MongoDB, calls cybersecurity champions the "cheerleaders and supporters of security" across an organization. MongoDB is a database platform to build web and mobile applications. It powers everything from popular online game Fortnite to dating site eHarmony's real-time communication system. The company is headquartered in the US and has 2,000 employees globally. "We need to assure customers we're keeping our applications secure and we want to show our internal customers they're working in a secure environment," says Smart. MongoDB's cybersecurity champions program was one of Smart's first initiatives when she joined the company last year. A 20-year industry veteran, she implemented two similar programs in previous CISO roles at international electronic trading platform Tradeweb and another at New York Power Authority. Smart says security experts inside an organization may have a limited perspective because they're looking through a tight lens. Weaving security through software development Security champions schemes are adopted most in software development, particularly with the trend toward DevOps. DevOps means combining software development and IT operations teams and processes to speed up development. As the need grew to scale DevOps projects faster while minimizing software vulnerabilities, organizations looked for ways to embed security into the development process. They called the approach DevSecOps. "Security champions programs aim to build a better security culture and get DevOps to create secure software more reliably," says Dan Cornell, Chief Technology Officer (CTO) with US application security company Denim Group. Cornell is a big proponent of cybersecurity champions and has helped many organizations launch programs. He says their aims vary depending on the industry, regulatory environment and company culture. For DevOps, he says, champions make security knowledge more accessible to the development team. Having run successful security champions programs outside of software development, Smart says the rules are transferable. "There's no difference in how you set it up from one company to the next." The champions are colleagues from different roles, teams and departments. Smart particularly wants participants who don't have "security" in their job title or responsibility. "The champions want to learn and understand security and how they can help the company to be more secure," she says. At MongoDB, the program is voluntary and relatively informal. Champions are encouraged to attend monthly meetings with ideas for training and other things they want to do. Building cybersecurity culture from the bottom up Organizations often approach cybersecurity culture from the top down, starting at the C-Suite (executive-level managers.) University College London (UCL) surveyed more than 800 employees in one organization and found attitudes toward security varied greatly between the company's divisions. They recommended a bottom-up approach to help get buy-in from people at all levels. The study's co-author and lecturer at UCL's Department of Security and Crime Science Ingolf Becker thinks a security champions program works because it's a two-way street. "It promotes security at all levels, but it's also an opportunity for management to get feedback about what's happening on the ground." Smart says sometimes the best ideas for improving security comes from people who "don't live under the scrutiny of the CISO every day. It gives you, as the CISO, a view you wouldn't otherwise have." Champions making cybersecurity communication clearer Smart measures the success of a champions program by how much feedback she gets on initiatives and efforts. For example, a new data-retention policy for a communication app the company was using: "Data-retention policies can be disruptive. We wanted to make sure we were asking the right questions and giving the right information to those affected," she explains. She put the champions to work. They met as a group and reviewed the draft memo. The champions took it apart, discussing what could be improved, what needed more information, and so on. That input, she says, saved her security team a lot of angst. "We finessed what was going to be a disruptive piece of communication," she says. She knew it worked because emails came in thanking them for the clarity of the message. People appreciated the efforts put in by those outside the CISO's core team. How to implement a cybersecurity champion program Becker says security champions must not be security people. "They're employees who are 'one of us,'" he says. "I think most organizations could benefit from having this local expertise about what security means to an organization." He says at organizations he's worked with, the program was often organic – started by people or teams who took it upon themselves to promote security. In those instances, formalizing the program helps to provide training and resources to develop it. To start a program, Smart recommends CISOs get executive support. At MongoDB, she started by pitching the idea to her manager, the company's CTO. "He loved the idea," she says. "Support from the top is fundamental, or it won't be a success." You must also work out what kind of commitment participants need, based on how often the champions meet and other tasks they do. The next phase is to promote the program and recruit volunteers – an online survey is a good way. After pitching her idea to the CTO, Smart enrolled the company's communication experts to raise awareness, including the benefits of the program to the organization. When employees stepped forward, their supervisors had to sign off. Smart had conversations with the managers who were uncertain and explained how volunteering could fit around the employee's day-to-day role. "Because it's voluntary, some months you may have five people in the room and some months 20," Smart says. "Don't be disheartened if the numbers go down. They'll come up again." To grow the program, look for ways to promote the champions' work and impact. MongoDB includes "day in the life" stories about the champions in the company's security newsletter. Championing security helps develop careers Gartner says cybersecurity champions programs are a zero- or low-cost way to accelerate your security message. Some organizations may offer incentives, and in DevOps scenarios, being a champion may become a full-time role. At MongoDB, the champions aren't there for perks, but there are benefits. They learn things and serve as leaders to their peers. Smart, too, found an unexpected benefit: Two of the champions later joined her team. "They're now a bridge between the old and new ways of security," she says. Becker believes just about any organization could implement a cybersecurity champions program. But there's one caveat. "You must be willing to listen and change based on the input of champions," he says. Smart notes the champions share a common goal. "We're all trying to solve the same problem: Keeping the data safe and the bad actors out," she says. The program lets her talk to people she rarely speaks to about ways to improve security. "It's a linking of the groups and a linking of the minds," she says. If you want to improve your security culture – and are willing to listen to employees with diverse perspectives – a security champions program is a great way to bring about long-lasting change. This article was published in May, 2020.
remote working cat laptop cybersecurity training homeworkers

Now we’re all working from home, we need to become more cybersecurity aware

  • min read
    • COVID-19 has triggered a worldwide work-from-home situation for pretty much everyone that can do it in 2020. Although the virus is impacting nearly every aspect of our lives, there may be a silver lining: remote working can benefit businesses and the planet. Remote working has been steadily growing in popularity over the last few years, and for good reasons. A Stanford University study found that employees were, on average, 13 percent more productive at home as opposed to in the office. And there are operational benefits too. Organizations with flexible work-from-home schedules tend to spend less on running large offices or scale down their office space. Throw in the fact that you're sparing the planet your employees' commute (dolphins returning to Venice canals is an extreme but excellent example), and it's a no-brainer. I'm not advocating a constant work-from-home situation – innovation thrives with face time with others – but if COVID-19 teaches us anything, it's that remote working could benefit business and the planet. Remote working increases cybersecurity risks Remote working is a massive change in the way people work, and if handled without preparation, there are some serious cybersecurity risks. Most will be down to the way your employees work. A 2019 report by Kaspersky found that 72 percent of employees in smaller businesses store documents that have personally identifiable data.  And in a 2019 report on the cost of cyber-breaches, 52 percent of enterprises reported that breaches happen after employees' inappropriate IT use. Changing behavior is your biggest cybersecurity challenge Employees feel removed from the corporate gaze when they're at home, which can aid productivity. But it also means they may not be as conscious of following security best practices, and IT staff aren't on hand to give quick-fire advice. Nine times out of ten, your employees will work using a corporate device (if you've provided it) but they may use it for personal stuff, like online shopping. Hackers are smart; they anticipate these changes and are always seeking new ways to exploit your business. With so many people at home 24/7 and shopping online, we see a big spike in online phishing attacks. Hackers are embedding traps by setting up fake sites emulating big-name online supermarkets. We see an increase in situation-sensitive phishing attacks, like COVID-19 advice emails from hackers pretending to be healthcare organizations. Once users click on these, especially if they're connected to your corporate VPN, hackers can get access to your network, which could place your entire corporate data at risk. Everyone working from home concurrently also throws up new challenges for how IT teams can best support users. Usually, in an office, an employee might go to the IT team and say, "My computer is running slow, can you help?" The IT support desk fixes the issue promptly, and then all is well. When they're at home, they may just live with it, particularly when IT managers are overloaded with new requests from novice homeworkers. What happens when there's an immediate issue? Many IT teams don't have the experience or tools to investigate remote cyberattacks and cure them instantly. So the focus right now is to increase our efforts to stop these attacks before they happen.  But how? Teach your teams to become cyber-aware Training is crucial to help your teams to become cyber-aware. Plan a program of learning, with a mix of online learning, classroom (virtual or real-world) and regular advice by email. You could test whether people can spot a phishing attack by setting up a fake phishing email.  To start, try this free 30-minute adaptive learning course by Kaspersky and Area9 Lyceum for those who are new to remote working to help them work safely from home with lessons about choosing strong passwords, the importance of endpoint protection and regular software updates. Employees need to know what's acceptable to do on corporate devices, rather than simply what they shouldn't do. With weekly calls or online chats, you can talk to users about what they're seeing, advise them on best practice and answer their questions. This gets them comfortable talking to the experts, so if something happens, you can respond quicker. Build a culture of trust Unfortunately, in many larger organizations, there isn't a culture of transparency between employees and IT on cyber matters. When people make mistakes, they're either unaware of what they've done or are scared they'll lose their job, so they may not formally report a data breach incident that ends up damaging the company. You need to build a culture of trust and transparency between employees and the IT team. Open communication is critical. Advise against casual browsing on work devices Casual browsing may lead to compromised network security, so make sure employees know this and encourage them to do personal things – like shopping, social media or reading news – on their own devices. Patch employees' machines If your employees' devices aren't completely patched and up-to-date, the chances increase of hackers finding a vulnerability in your system. Remotely access their machine to patch or help them do it themselves over the phone. Even better, install an automated patching solution. Ask people to change default passwords on home routers Most home routers use a default password, which hackers can find and then get into the back end of the home network. Few people bother to change it because it's a somewhat tricky process, but it will drastically improve employees' cyber-defenses.  Show them how they can do it. Cybersecurity in the age of remote working After COVID-19 restrictions are over, and organizations see how well their staff have handled working from home, it will change the way we work forever. I think employers or governments are likely to implement a one-day-a-week remote working policy. With that in mind, you need to know the cyber-risks of remote working, how you can prepare your teams, and encourage a culture of collaboration and transparency. If you're thinking about extending remote working beyond COVID-19, get the right cybersecurity training program and products in place to keep your teams and business safe.
by Innovating leaders.
Innovative tech.
About Secure Futures

Secure Futures magazine is your go-to business guide for opinions, trends and insight into the world of technology and cybersecurity. We help your business to bring on the future. Brought to you by Kaspersky, the global cybersecurity experts.

  • For all other countries