The importance of cybersecurity has already been established in the majority of small and large scale corporations. However, with cybercriminals working relentlessly to improve their attack vectors, some precautionary measures become outdated and ineffective.
Now, malicious threat actors highly switched their focus to social engineering since the majority of people are working remotely. They try to impersonate legitimate brands or create fake landing pages to trick unsuspecting users into exposing their individual and business credentials.
Cybersecurity awareness training is not something new. Yet, the way it’s delivered and presented must change if we want to engage and teach people how to spot cyberattacks. For this reason, the CEO and the Founder of OutThink (a company that offers a Human Risk Management Platform), Flavius Plesu, agreed to share his valuable insights about modern human risk management approaches.
Tell us more about your story. What was the idea behind OutThink?
OutThink was an idea born from my personal experiences as a Chief Information Security Officer (CISO). Early in my career, I led complex cybersecurity transformation programs within global organizations. It became clear to me that despite our considerable investment in cybersecurity technology, and in the bulk training of our people, we were still going to be exposed unless we could build a risk-aware and sustainable cybersecurity culture.
I started to rethink the problem and engaged some of my CISO peers and members of the academic community who shared my determination to solve this people-related challenge in cybersecurity. So, you could say that the idea for OutThink was born out of frustration that existing solutions on the market were failing.
However, it also came from a passionate belief that if we engaged our people – beyond security awareness training into human risk management – we could make them the organization’s strongest defense mechanism.
Can you introduce us to your Human Risk Management Platform? Why is employee security awareness so important?
This is important because people are the major cause of security incidents or data breaches. According to the report by ICO in 2021, 90% of security incidents happen due to human error, and estimates of global cybercrime losses range from 795 billion euros to as much as 5 trillion euros.
At OutThink we have brought together psychology, data science, and technology with years of practical information security industry experience to create the world’s first cybersecurity human risk management platform. In simple terms, the platform quantifies human risk by measuring employees’ security behaviors and attitudes to deliver highly targeted security awareness training to each employee.
OutThink also presents live dashboards with the overall human risk picture at a department, group, or organization level, providing the foundation for risk decision-making and treatment prioritization. Our approach is unique and proven to be considerably more effective.
What methods do you use to make your training engaging and effective?
First of all, we have to be honest about the context that we’re working in – people have a limited appetite for compliance training. Employees only need the most relevant and effective training to stay safe online and get on with their job, and anything that costs time is not good for the business.
To achieve the best outcomes, the OutThink platform collects and analyzes subjective data (attitudes) and objective data (behaviors) to identify the root causes and calculate a cybersecurity human risk score. From this, it understands which individuals pose a higher risk to the organization and automatically delivers sharp, targeted micro-learning in real time. It's based on individuals’ needs and level of risk, as well as can be delivered via their preferred channels, such as Slack, Email, or Teams. We’re also leveraging natural language processing and machine learning to deliver significant advantages over traditional and rather unintelligent approaches.
The content itself is fresh, highly visual, looks great, and uses gamification and other techniques to engage the audience and ensure that the impact is lasting.
Have you noticed any new threats emerge during the pandemic?
Yes, the cyber landscape is always changing as hackers find new ways and forms to access information. They not only exploit technical deficiencies but often rely on people to access sensitive data, and there is ample evidence to indicate that attackers are exploiting the high volume of remote users.
Now, it's much harder to identify unusual remote logins and detect credential theft. Devices that are used to log in for the first time are no longer an anomaly and may go undetected. Security teams are managing in a world of unknown unknowns, as user behaviors and access patterns that they have not experienced before have become the new normal.
Social engineering or so-called hacking minds remain the preferred avenue of threat access simply because it cannot be patched with technical solutions. That includes the following:
- Covid weaponized emails
- Theft of remote user credentials
- SMiShing and spear-phishing attacks
To address these problems, OutThink is actively engaged in building a Framework for the Management of Human Risk in cybersecurity which helps organizations understand that creating a strong, healthy cybersecurity culture is not simply about patching technology and processes. It is about patching the human brain.
Why do you think employee cybersecurity training is often pushed to the background?
Sometimes it’s about budgets but more often it is about the vision and willingness to challenge the easy status quo. There’s a compliance tick-box approach to cybersecurity training that is all too familiar. A manager sets objectives for the year along the lines of “train our people in topic XYZ”. And the organization purchases some training solutions, rolls them out, and ensures everyone has completed the course. Job done. That’s a slightly cynical view perhaps, but I know we can do so much better than this.
Since so many teams are working from home these days, what would you consider the most serious security issues affecting the remote workforce?
We’re now two years into this fundamental change in working practices and we’ve learned a lot. Work has become more portable. We’re in a new era of workforce mobility and this presents fresh security challenges to overcome. But while remote work has become the new norm for many companies, it isn’t without its inherent risks. Of course, there’s a higher chance of your devices and data being lost or left exposed. According to the Data Breach Investigations Report by Verizon, phishing is perhaps the most serious security issue to consider, with it being a part of 36% of all data breaches.
It’s far easier for cybercriminals to target human weakness than break through modern security defenses. That’s why, according to Verizon, as many as 90% of data breaches and incidents involve a phishing element. Most phishing attacks happen over email, whereby a cybercriminal tries to fish for information and lure victims into taking the desired action. This might involve unwittingly surrendering private information, such as login details or financial information. Other scams might include malicious attachments, such as ransomware. Phishing is a form of social engineering – psychological manipulation tactics that prey upon emotions like fear, greed, or curiosity. As such, many phishing emails encourage you to act quickly and without thinking. There is no doubt that a remote workforce is more exposed to this social engineering and manipulation than the one which operates from more structured office environments.
In your opinion, what types of attacks are we going to see more of in the near future?
We will most certainly see more remote work attacks. In the upcoming year, expect these threats to continue since cybercriminals and state actors become bolder and more adept at executing their schemes. Since the pandemic, hackers have adapted far better than employers and governments to the change in humanity’s digital behavior. Remote workers were among the first targets of cybercriminals who spotted trends during the pandemic. Employees working outside of the office and during odd hours tended to log into their employers’ network during downtimes in security monitoring. That habit turned them into targets. Cybercriminals homed in on those vulnerable employees knowing the network’s security team was absent. As some office workers return from home, that vulnerability may lessen, but fixes to networks will be among the expenses companies undertake after a miserable year of seeing their systems under constant assault.
I think artificial intelligence will underpin the next generation of security solutions. Much of today’s solutions are useful only after an attack has already happened. A shift to AI in 2022 is needed to plug gaps in the cybersecurity industry. Our platform uses AI to continuously target and train employees in short bursts and the system is constantly learning and adapting. It is a quantum leap forward.
What can average Internet users do to protect themselves online? Do you have any security measures that you could recommend?
Firstly, online bank accounts are particularly attractive to cybercriminals as stolen funds can be difficult to trace. Cybercrime losses totaled $1T in 2020, more than 50% higher than seen in 2018. This figure is expected to further increase as the level of usage for internet banking rises. To protect your financial information and prevent your online account from being compromised, I would call out the following as essential behavior changes:
- Beware of phishing emails
- Avoid using public wifi when making online payments or banking
- Always use a unique and robust password
- Never reuse the same password for multiple accounts
Secondly, as children spend more time online, they are more vulnerable to the dangers of the internet. In the UK, 20% of children aged 10 to 15 years admitted to being affected by cyberbullying and 1 in 5 victims of online grooming were children aged 11 or under. So, I recommend:
- Encouraging kids to be more aware of oversharing sensitive information on social media
- Using parental controls on phones, tablets, and laptops
Thirdly, protect your devices. In recent years, our dependency on various gadgets has significantly increased, making our devices a natural target for cybercriminals. So, make sure that:
- All your devices are updated with the latest software and application updates
- Install an antivirus software
- Ensure you have a firewall in place to filter incoming and outgoing network traffic
- Backup your important data to the cloud
And finally, what’s next for OutThink?
We have so much going on and it’s a really exciting time for us – we’ve just won investment from the European Union. It realized there is an urgent need for new approaches to cybersecurity human risk management and recognized the unique capabilities we have as a company. We’re growing fast with new customers and partners. We’re hiring up and investing to enhance our products and services.
On the product side, I’m excited about the capabilities we’re rolling out to our customers. For the first time, our customers can visualize and understand their human risk exposure. And for the first time ever, security workflows can be automated to eliminate specific risks and reduce risky behaviors where they occur, and soon, where they are predicted to occur. We’re investing more in AI and techniques, such as machine learning and natural language processing.
When I started the business four years ago these concepts and our vision were perhaps a little ahead of the market, ahead of where companies were ready to invest. But now, companies and organizations are changing their approach. They increasingly understand the importance of managing human risk and are looking for better solutions. We have a first-mover advantage and the future looks very bright for us. I’m proud of my team and they deserve the success.