Training staff to be wary of a cyber threat is not a clear-cut job

As the industry is hit by a spate of high-profile cyberattacks, companies seek outside help to ensure their employees are aware of the latest threats.

James Hadley, CEO of Bristol-based tech start-up Immersive Labs, said it was difficult to ensure that employees tasked with protecting their company’s systems are ahead of the ever-evolving threats.

Hadley was a cybersecurity instructor with the UK intelligence agency GCHQ before setting up Immersive Labs to make his training skills available to corporate clients.

The platform uses gamification tactics by constantly updating data on new malware threats and simulated attacks to train people in the best responses, rather than the traditional style of a training course.

“The [courses] It takes a lot of time and it’s dated very quickly, “Hadley told CNBC.” New attacks and tools are coming out all the time. So how can we keep this ability updated? ”

Immersive Labs’ platform is aimed at people who work in technical roles on a daily basis, such as app developers and executives who may have to react to incidents.

He said he saw a surge in inquiries from companies frightened by cyberattacks like the ransomware that hit the Colonial pipeline.

“We see that the market is increasingly asking about decision-making in crisis simulation. Our cyber crisis simulator, which puts people in the hot seat of decisions during a ransomware incident, is becoming the sharpest arrow in our quiver. “

However, Immersive Labs focuses on training employees who are already in technical roles. This leaves many other professionals in companies whose work processes and habits can be gateways for cyber criminals.

A recent survey by cybersecurity firm Arctic Wolf found that 73% of small and medium-sized businesses in the UK believe that their employees are ill-equipped to respond to a cyber attack.

The CNBC @Work Summit returns

This fall, October 13th, Facebook CIO Atish Banerjea, Cathy Bessant, Chief Operations and Technology Officer of Bank of America, Sandeep Mathrani, CEO of WeWork, and Tracey Travis, CFO of Estee Lauder, will talk about building a resilient future and talk more. Join Now.

Effective training

“Ultimately, it’s true that people are the weakest link in cybersecurity,” Avi Shua, CEO of Orca Security, another cybersecurity company, told CNBC.

Working from home has further opened up the field of attack in a company where people use their own devices or chat apps like WhatsApp to keep in touch with coworkers.

This has heightened the need for greater cybersecurity awareness among employees, but Shua said it’s not that easy.

“We definitely need to invest in training, but I don’t think we can rely on everyone to be cyber-aware all the time. I think that relying on it will fail, ”Shua said.

“I work in the cybersecurity industry so I think about cyber every day,” he added, but noted that people in accounts, HR, or other roles are busy with their own day-to-day tasks.

“When I am an accountant, I cannot think at every moment whether the communication I am conducting is (safe). If that is your strategy, it will fail. “

“(Training) will make an organization better, but I believe an organization needs to put more emphasis on tools that dramatically help its employees differentiate between legitimate and illegitimate communication.”

Alan Woodward, a cybersecurity expert and professor at the University of Surrey, said focusing on training people in non-tech roles to become more cyber-aware would put too much stress on people.

“The big problem with educating people is that it is a one-off exercise and we are all human, we all forget and the criminals are very clever in the way they manipulate us socially,” he said .

Both Woodward and Shua said the right approach is a combination of technical solutions to detect threats and implement human processes that employees can follow without relying on each other.

Woodward added that companies need to be wary of cyber snake oil vendors showing up after major attacks like the one on Colonial promoting training or other protective measures.

“It’s a bit like really looking at everything online. All you can do is look it up, do some research, do a little care,” he said.

Ransomware threat

Ransomware is the biggest threat right now, “a country mile,” said Woodward.

With Colonial paying $ 5 million and JBS $ 11 million to restore their files, a company in a similar ransomware bond will grapple with whether to pay.

Hadley of Immersive Labs said his stance as a cybersecurity professional is never to pay as it only motivates cyber criminals to continue their misdeeds, but acknowledged that in this situation, companies may feel they have no other choice.

When a company is hit by ransomware, backing up effectively is one way to get back up and running. But backups cannot go idle either, Hadley said, and companies should regularly check that these backups are functional and easy to restore so that they can rely on them in the event of a disaster.