by Eric Jacksch, Cybersecurity Consultant
The cybersecurity threat landscape is changing rapidly with the emergence of artificial intelligence (AI) tools. Just like everyone else, hackers are adopting these tools to improve their efficiency.
AI can be leveraged to make phishing, vishing, and other forms of social engineering easier and more scalable. Natural language processing can make scam emails sound and look far more credible. Even voices can be convincingly mimicked and used to request password resets or steal sensitive information.
According to Salesforce, two-thirds of IT leaders want to integrate generative AI into their businesses, even though a larger percentage fear increased security risks. As organizations dive headfirst into integrating AI into their daily workflows, we need to address the related security risks.
One way to do this is to acknowledge that criminals are getting better at exploiting human weaknesses. Put yourself in hackers’ shoes, understand how they think, and suddenly, your approach to cybersecurity training will look very different. I’ve found three important lessons about thinking like a hacker that will make your cybersecurity training more effective.
Artificial Intelligence: Train Through a Different Lens
One of the most powerful questions to ask trainees is, “If you were a criminal, how would you compromise your system?” That question often reveals vulnerabilities that you may have never considered. Once people understand how to exploit a system, they’re more likely to recognize when those tactics are being used against them.
Use immersive training techniques like having employees create their own phishing emails or role-play in social engineering attacks so that they can see both the attacker’s and defender’s perspectives. Consider this example of vishing (voice solicitation). The customer service representative falls prey to a sympathetic ruse, but by seeing the attack in action, you can understand the psychology of the threat and how to protect yourself.
Programs should suit both your company and your employees, and always consider your threat model — the particular combination of threats and vulnerabilities facing your organization. A hospital, for example, needs to protect health information according to HIPAA-compliant standards, while an engineering firm may not.
For training to be successful, tailor it to the employee’s unique role within the organization. Talking to an accounting person about firewall rules makes as much sense as talking to a network engineer about payroll diversion scams. If people can’t see how the information relates to their role, they perceive you’re wasting their time.
Training also needs to be relevant to employees’ personal lives. There’s a growing overlap between “personal” and “business,” so helping people avoid cyber attacks outside of work makes the training more pertinent for them. If an employee’s phone is compromised, it could impact both personal and company information.
Cybersecurity training needs to go beyond a one-and-done lesson. The threat landscape is constantly changing, and your employees need practice to keep their skills sharp. How important is continuous training? Seventy-six percent of employees polled are more likely to stay with their companies when they have it. Employees invest in companies that invest in them.
Keep it fresh and exciting by developing game-like achievements. As employees return for additional training, the achievements create a sense of progression rather than repetition. Pull in experts and consider hosting a webinar with a cybersecurity professional, allowing employees to learn from yet another perspective and to ask questions live.
Use all the tools at your disposal to help employees remain alert, and up to date. Foster continuous awareness – send updates via Slack or email to keep your employees’ minds sharp on ongoing and evolving cybersecurity risks. And when possible, give employees concrete examples. You’ve had four fraudulent attempts to change payroll information this month? Tell your employees. It makes it real.
Virtual reality (VR) can also be a powerful tool for creating an immersive experience. VR might sound like “just” a video game, but it works, even in critical fields like surgical training. You are trying to help your employees think differently, and VR can put them in a hacker’s shoes so they can build security skills in a no-risk environment.
Where Should You Start?
From a hacker’s perspective, personal information is one of the most lucrative targets. Your training should help employees build the following three critical security habits around protecting personal information, starting with the basics of passwords:
- Use good passwords. Hackers exploit the fact that humans are terrible at creating randomness—the key to a secure password. Use the password generation tool in your password manager, or a tool like Diceware to create long, unique passphrases and create stories to make them memorable.
- Use multi-factor authentication (MFA) whenever possible. Hackers love to access accounts with just a username and password. Use hardware keys when possible. Avoid SMS.
- Use a good password manager, but do not store MFA credentials, backup codes, cryptocurrency seed phrases, or other sensitive information in it. Hackers would prefer a single point of failure. Compartmentalize your security.
AI will only become more powerful, along with the cybersecurity threats it brings to the surface. By shifting the typical cybersecurity training narrative, employees can stay one step ahead of hackers, keeping personal and business information safe from their wrath.