Security eBook

The state of cybersecurity

man reading text from cellphone

How to reinvent your end-user security

The threat landscape is evolving quickly, and cybersecurity experts warn that things will get worse before they get better. Empowered by the mass disruption in the wake of the COVID-19 crisis, hackers and other bad actors have stepped up the volume and the severity of their attacks.


The ubiquity of technology and interconnectivity in our professional and personal lives has amplified the need for stringent, adaptable, and proactive cybersecurity strategies and policies. The reality is, the way we collectively handle cybersecurity isn’t working.



For example, take the SolarWinds breach that affected several U.S. government agencies, including the National Nuclear Security Agency. This supply chain attack was distributed to its victims through seemingly legitimate software updates.



Or take the DarkSide attack on Colonial Pipeline that temporarily shut down one of the country’s largest fuel supply corridors. This attack succeeded thanks to a single compromised password and a lack of multifactor authentication.



These are just two of the recent cybersecurity breaches that resulted in massive financial and data losses and could have been avoided with cybersecurity measures in place.



BrainStorm Threat Defense was selected as a featured solution in a recent Forrester Now Tech report highlighting the role security awareness training plays in a cybersecurity strategy. The Now Tech report focuses on key capabilities, including measuring and mitigating risky user behaviors, creating a cybersecurity culture, and improving the organization’s security posture.



Read on to learn why cybersecurity is essential in today's complex IT and business environments, how to protect sensitive user and company data from hackers, and how BrainStorm Threat Defense’s human-focused approach to security awareness outperforms traditional training methods.

What's in the eBook?

  • The fundamentals of cybersecurity
  • How to spot phishing attempts
  • The future of cybersecurity
  • How to create an effective cybersecurity strategy

Don’t miss a thing. Stay up to date on how our strategies help organizations defend against cyber attacks. Fill out the form to keep up with BrainStorm.

By submitting this form, you are agreeing to BrainStorm, Inc.’s privacy policy.

Chapter 1

The fundamentals of cybersecurity

image 68-1

What is cybersecurity?

Cybersecurity encompasses all of the tools, technology, processes, and policies an organization employs to protect its data, devices, and networks from unauthorized or malicious access, encryption, corruption, and data theft.


Cybersecurity is everyone’s business.

As a matter of necessity, cybersecurity technologies and techniques are always evolving to keep pace with changing threats and tactics. To create an effective defense against potential attacks, organizations must take a holistic approach to cybersecurity that includes IT, the C-suite, and every employee in between.

Together, these groups must implement a cybersecurity strategy that focuses on protecting four common entry points for malicious users:

  • Devices: This includes smartphones, tablets, laptops, and any other devices that connect to the company network.
  • Network: With virtual private networks (VPNs) and remote desktop protocols (RDPs) being two of the most common threat vectors, IT must be diligent about securing remote access to the network.
  • Email: Email is the most common way phishing scams deliver malware and trick users into divulging credentials and other confidential information. Filtering and whitelists can cut down on the number of malicious emails that reach an inbox.
  • Files and documents: Protect business-critical files and sensitive documents with encryption at rest and in motion, as well as automated backups that store a copy of your data offsite and offline.


What is the human element?

Cyberthreats come in many forms. Some are highly technical, involving code capable of slipping past cybersecurity software undetected to infect networks and files. Others rely on good, old-fashioned human error.

A worker can, for example, download an infected app onto a smartphone connected to the company network, click a malicious link in an email that appears to be from HR, or share their network credentials with an unauthorized user.

When it comes to cybersecurity, all the technology in the world can’t prevent poor decision-making. But security awareness training can.

Invest in company-wide security awareness training to teach employees common red flags in emails, how to spot malicious links and attachments, and what to do if they are the victim of a phishing scam.


Resources

Chapter 2

What should security awareness training include?

image 68 (1)

What is phishing?

Phishing is by far the most common type of cyberattack. This social engineering tactic involves tricking a user into clicking a malicious link, entering sensitive personal information, or opening an infected email attachment.

Because phishing scam operators can choose a “spray-and-pray” approach or a more targeted campaign involving personal details to build trust, phishing has a high success rate. After all, it only takes one distracted employee to throw open the gates to the company network.

Phishing is a relatively low-effort, high-reward crime, so it’s not surprising that by mid-January 2021, Google Safe Browsing reported a 25% year-over-year increase in the number of phishing sites registered.

What are the types of phishing scams?

There are several types of phishing scams making the rounds. In fact, hackers have found a way to create a phishing campaign for practically every kind of digital communication outlet.

  • Email phishing: The most common phishing tactic, these scams are delivered via an email containing malicious links or an infected attachment.
  • Spear phishing: This email phishing scam targets a specific person and includes personal details, such as job title or place of employment, that make the email seem even more authentic.
  • Whaling: Whaling scams go after the company VIPs by targeting senior executives. These emails appear to be from senior staff members and request information about banking accounts, tax returns, or other highly confidential financial assets.
  • Vishing: Vishing is a social engineering attack that utilizes voice communication rather than emails to trick victims into sharing personal information, such as bank account numbers or credentials that can be used to access sensitive company data.
  • Smishing: This is another twist on social engineering, but this approach uses SMS messaging linking to a web page, an email address, or a phone number that asks the victim to input personal information or credentials.
  • Angler phishing: Angler phishing is one of the newer tactics, using social media as the base of operations. These attacks are initiated by bad actors posing as customer service representatives who target disgruntled customers. The “representative” provides the victim with a link that, when clicked, either installs malware on their device or directs them to a site asking for information.

What are phishing scam red flags?

Phishing scams often seem legitimate at first glance, but on closer inspection, there are tell-tale signs that something is not quite right.

Here are some common red flags to watch for that may indicate you’re being phished:

Cloud-based collaboration has become the norm, so employees have to be smart about sharing. Some best practices for safe sharing include:

Security awareness training should include overarching best practices for keeping data secure as well as drill down on the laws that govern your specific company, country or region, and industry.

Spoofed hyperlinks

Hackers use spoofed URLs to trick users into clicking links. The text may look like an authentic link to a trusted company, so it’s important to hover over each link in the email to check that the actual URL is legitimate. Pay close attention because phishing links are often almost identical to the authentic hyperlink with small differences, such as a one-letter spelling difference or use of .com instead of .net.

Poor grammar and spelling

Like grammar and spelling, poor quality layout and design in an email from a huge company is reason to be wary.

Suspicious attachments

Attachments are a popular way for hackers to deliver malware, so be on the lookout for email attachments that seem off. For example, your bank is unlikely to ask you to download a file, and HR probably isn’t sending out .exe files for review.

Generic greetings and closings

Most businesses use email solutions capable of inserting the recipient’s name in the email greeting. Be wary of an email that uses a generic salutation, such as “Dear Sir/Ma’am,” and be extra suspicious if there is no company contact information in the signature.

Discrepancies in sender’s email address

Similar to the spoofed hyperlinks, hackers often send phishing emails from email addresses that look almost identical to a legitimate and trusted company. Be sure to look for spelling differences, missing letters, and character discrepancies, such as an underscore instead of a dash.

Inflated sense of urgency

Many phishing scams include a time-sensitive or urgent call to action designed to make users click before they think. Some popular messaging includes:

  • “We have noticed some unusual activity on your account.”
  • “Your payment failed. Click here to pay now.”
  • "You are eligible for a government refund.”
  • “Claim your coupon for free stuff.”


Resources

Chapter 3

The future of cybersecurity

image 67

In 2021, a Ponemon Institute and IBM Security study found that the average total cost of a data breach has risen to $4.24 million, exceeding all previous years’ averages.

And security experts anticipate the rate of cyberattacks will continue to increase for the foreseeable future. At a recent cybersecurity summit, U.S. National Security Agency Director Paul Nakasone was asked to predict how often the U.S. would face ransomware attacks in the next five years.

His answer? “Every single day.”

With cyberthreats expected to be an ongoing security challenge, it’s crucial for IT teams to identify current and future risks and look for effective ways to protect their organizations from data, financial, and reputational loss.


Understand the risks and vulnerabilities.

Remote and hybrid work environments

The same Ponemon Institute study mentioned above also found that the average cost of a data breach increased from $4.26 million to $4.96 million when remote work was a factor in the breach. According to the study, incident response time is slower in remote work environments, so it takes longer to identify and neutralize an attack.

With many organizations opting to continue remote work or shift to a hybrid environment, IT teams will need to seek out cybersecurity solutions that prevent attacks and allow them to launch a response faster when an attack succeeds.

Shortage of skilled cybersecurity professionals

Effective cybersecurity strategies require highly trained cybersecurity experts to design and deploy them. Unfortunately, there is a massive shortage of these professionals in the workforce at a time when there is a historically high demand for their services.

A study conducted in 2020 found that the number of unfilled cybersecurity jobs will potentially reach 3.5 million in 2021. That’s up from 1 million openings in 2014.

With millions of cybersecurity vacancies left unfilled, many organizations will be unable to implement a security strategy or technology capable of withstanding the increasing number of attacks and the sophisticated tactics hackers are initiating.

IoT hacking

Thanks to improved technologies, such as 5G and edge computing, the Internet of Things (IoT) is working its way into everything from security cameras to refrigerators to self-driving delivery trucks.

These devices are only as secure as the safeguards put in place by the manufacturers and service providers. Third-party vulnerabilities are a common entry point for hackers, meaning you must ensure you work with vendors who take security seriously and take measures to prevent an attack on a vendor from spreading to your organization.

Double extortion ransomware

Ransomware attacks are on the rise, and they are becoming more damaging by the day. Operators were once content to encrypt a company’s data and demand a ransom in exchange for the decryption key, but they are upping their game.

One popular tactic is double extortion—a ransomware attack that exfiltrates a copy of your company’s data before the files are encrypted and held for ransom. Ransomware operators use this type of attack to pressure the victim to pay by threatening to publish the stolen data online.


Implement effective cybersecurity solutions.

Utilize AI and machine learning

Artificial intelligence (AI) and machine learning use powerful algorithms to identify known threats and spot evolving unknown strains. This technology allows security teams to analyze data and suspicious activity at a volume and speed not possible with manual tools and conventional software.

Make the people the perimeter.

Up-to-date threat detection technology is a key part of an effective cybersecurity strategy, but even the most cutting-edge software can be circumvented by an employee who falls for a phishing scam.

With today’s distributed workforce, IT teams can no longer rely on the office firewall to keep out bad actors. With endpoints scattered across multiple locations, IT needs employees to become the first line of defense.

Empowering employees to become an extension of IT security requires customized, comprehensive, and targeted security awareness training, such as BrainStorm Threat Defense.

This non-traditional platform provides a learning environment intended to change how users think about communication, collaboration, and personal responsibility. It doesn’t engage with humiliation or memorization—both of which are ineffective in driving lasting behavioral change.


Resources

 

Chapter 4

How to select a security awareness training partner

image 69-1

Piecemeal cybersecurity won’t hold up against today’s evolving threats. IT security teams must take a holistic and consistent approach to prevent breaches and protect sensitive company data.

To create a cybersecurity strategy that works, you must make a plan, determine how you will execute that plan, and ensure the plan is scalable across the organization.


What should you include in your cybersecurity strategy?

Every organization’s cybersecurity strategy will be tailored to its specific requirements and objectives, but there are a few fundamental steps that every IT team should include in their plan:

  1. Set your goals.
  2. Identify risks.
  3. Evaluate your technology.
  4. Review security policies.
  5. Create a business continuity and disaster recovery plan.
  6. Implement your cybersecurity strategy.
  7. Test and revise the strategy as needed.

Don’t underestimate the importance of security awareness training in the success of your cybersecurity strategy.

BrainStorm Threat Defense provides a turnkey solution for your security awareness training initiative. With a 4-step program that focuses on turning employees into an extension of IT security rather than a liability, BrainStorm Threat Defense will help you improve your security posture by eliminating much of the human error responsible for security breaches.


BrainStorm Threat Defense’s 4 steps to better cybersecurity. 

Step 1: Understand

Understanding is an ongoing process. We first ask questions to assess the baseline level of vulnerability for both users and the organization. We then revisit this step regularly to monitor progress in response to remediation.

Step 2: Teach

Each user gets an individual Skill Path that focuses on their specific weaknesses and knowledge gaps.

Step 3: Assess

BrainStorm Threat Defense phishing campaigns only use positive correction techniques—never humiliation—making it easier to measure progress.

Step 4: Remediate

Remediation is automated, so it repeats and retargets lessons as needed while the information is still top of mind.

Repeat

Security awareness training is not a one-and-done activity. The human brain needs repetition to retain information, and security threats are always changing and evolving. That’s why users receive an ongoing cycle of assessment, education, testing, and remediation to stay in practice and stay up to date on current cyberthreats.


Resources


With historically high rates of cyberattacks—and equally high costs for recovery—every organization needs a rock-solid cybersecurity strategy that includes top-quality security awareness training for all employees.

Contact us to see a live demo of BrainStorm Threat Defense’s people-centric approach to security awareness training.