Jack Koziol, Infosec Institute: “cybersecurity knowledge gaps at any level of the organization pose security risks”
Companies are worried about the outsiders infiltrating their spaces. They patch their systems and heavily invest in defenses, often forgetting that the main vulnerability already has access to their critical data: their employees.
Human error remains the most pressing challenge in cybersecurity, with as many as 88% of the breaches attributed to mistakes made by employees, according to the research by Stanford University. However, training your staff to be more cyber-savvy is not an easy task, which is why it’s often outsourced to other organizations.
Jack Koziol, CEO and founder of Infosec Institute, discussed with us why education remains the most important cybersecurity practice to follow and how Infosec Institute will help in training your workforce.
How did the idea of Infosec come about?
Infosec provides role-guided cybersecurity education for the entire organization — from the accounting department to the SOC team. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and privacy training to stay cyber-safe at work and home. It’s our mission to equip all organizations and individuals with the know-how and confidence to outsmart cybercrime.
The story of Infosec started shortly after I published The Shellcoder’s Handbook. The book’s popularity drove interest in ethical hacking and software vulnerabilities, leading to multiple requests to teach boot camps on the software exploits covered in the book. I used vacation time to teach a few courses but eventually ran out of PTO, so I quit my day job at the bank and spent the next couple of years traveling around the world teaching people with corporate jobs how to hack.
During that time, the cyber industry exploded. New tools and platforms introduced more security risks, which led to an even greater need for cybersecurity training. And as cybercriminals expanded targets from software to include software users, the demand for cybersecurity education skyrocketed.
We developed Infosec Skills and Infosec IQ to meet this demand, helping organizations scale effective, role-guided cyber education to every employee. Both platforms provide hands-on, engaging training to the entire enterprise, empowering employees with the knowledge, skills, and confidence to outsmart cybercrime. Today, more than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent and teams, and more than five million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness and phishing training.
What techniques do you use to make cybersecurity education engaging and fun?
In the early days of our cybersecurity boot camps, we quickly saw that hands-on labs and capture the flag exercises not only engaged learners but helped them retain the content they were learning. At the time, Infosec was one of the first companies to make this switch from “exam cram” to teaching skills in an engaging way that allows students to leave with real-world skills they could immediately apply at work. Today, we apply this same philosophy to every cybersecurity training we develop to help learners enjoy and retain important lessons.
For technical training, we use a combination of immersive lectures and hands-on labs in the cyber range to help students learn by doing and gain valuable skills. To give learners more options for hands-on technical training, we launched our new Infosec Skills cyber range this year. Alongside the launch of our cyber ranges, we established the Infosec Skills monthly Challenge for any cybersecurity enthusiast or professional to learn new skills each month— for free. To date, we’ve had thousands of individuals compete in our monthly challenge and share their completion certificates online. The adoption of this monthly challenge has shown that even for technical training, engaging learners and building in an element of fun, competition, and community, goes a long way.
On the security awareness and training side, our newly released Choose Your Own Adventure® Security Awareness Games have transformed how our clients deliver security awareness and training to their employees. We partnered with the team behind the Choose Your Own Adventure® brand to bring the excitement and mystery of the popular gamebook series to security awareness and training programs across the world. The games put learners in charge of their own security awareness training program with interactive storylines that encourage critical thinking and decision making — while keeping training fun.
Since phishing is becoming a prominent problem nowadays, could you tell us: what gives away a malicious email?
Despite the continued focus on security awareness training and investments into cybersecurity technologies, phishing continues to be a preferred and effective attack vector for cybercriminals.
When it comes to any type of phishing attack, the best approach is to slow down and think before you click.
For phishing emails, things individuals should watch out for include:
- A sense of urgency with a call to action. Cybercriminals look for individuals to quickly respond or act, granting them access to your system and information. They often use scare tactics or urgent language such as “update immediately” to get individuals to click on malicious links.
- An unexpected or unsolicited email. If you were not expecting an email from the CEO or did not order a package from FedEx, you should not respond to an email about it. Often, cybercriminals will impersonate people and companies you know to entice you to click or respond.
- The use of impersonal or general language. In many phishing attempts, you will see general language referring to you as a “user” or “customer” rather than by your name. Their request may also be vague to entice you to engage.
- Last but not least, misspelled words, mismatched URLs, and incorrect information like the date or location for the company trying to contact you. If something looks off or does not match up, it’s best to report the email to your IT team or email provider for them to investigate.
Did you notice any new threats emerge during the pandemic? Were there any new features added to your educational programs as a result?
This past year, we saw new cyber threats emerge, from phishing emails impersonating vaccine updates or Zoom invites to cybercriminals targeting hospitals stretched on resources. Accordingly, the cybersecurity education and training Infosec provides individuals and organizations have never been more critical.
We also saw an acceleration in online cybersecurity education demand to help organizations defend against these new threats. Similarly, Infosec quickly developed a security awareness training series and free resource kit to keep employees cyber safe while working from home, covering topics like securing your Wi-Fi network, updating devices regularly, and practicing password safety. We also rolled out a new gamified training series to help increase employee engagement around cybersecurity despite employees being dispersed.
This was alongside launching hundreds of new online, hands-on security and IT courses so cyber professionals could ensure their skills remained relevant with the rapid changes in cybercrime and technology and the Infosec Skills cyber range. The new cyber range allows learners to launch real-world scenarios and put what they’ve learned into practice with the click of a button, removing the need to configure practice environments or home labs.
It is evident that giving back to the community is a big part of Infosec. What are your primary social initiatives?
At Infosec, contributing to the community we work and live in is just as important as the work we do for cybersecurity education. The Infosec Gives program is our company’s philanthropic commitment to sharing one percent of our profit, product, and time to make a lasting impact. Our employees have paid volunteer time, and we additionally match donations. Infosec employees have donated time to over 42 organizations and have made financial donations to over 50 organizations.
Giving back to our cybersecurity community, we have established the Infosec Accelerate Scholarship Program to raise awareness of workforce diversity challenges and the widening skills gap in cybersecurity. To date, this four-year-old program has awarded more than $530,000 in security education to encourage new talent from traditionally underrepresented groups to explore and develop cybersecurity career paths. Infosec Accelerate Scholarships are awarded for women, BIPOC, LGBTQI+, military/veterans, and undergraduates.
With ransomware attacks on the rise, who do you think is usually at fault — an under-informed workforce or weak cybersecurity measures in place?
Most cybersecurity researchers agree that the majority of data breaches can be attributed to human error. The latest IBM X-Force Threat Intelligence Index study reports ransomware, data theft, and unauthorized access as the three most common attack types in 2020, with scan-and-exploit, phishing, and credential theft as the top three initial attack vectors. Phishing is a very serious and common security threat and thus, is covered extensively by the media.
The reality is while many breaches start with phishing and malware, the extent to which hackers gain access to sensitive information and systems is often a reflection of the organization’s IT infrastructure and overall security posture. The recent SolarWinds incident is just one of many examples where something as simple as a stronger password policy or a more effective security awareness program may have prevented a significant breach.
Bottom line: cybersecurity knowledge gaps at any level of the organization pose security risks to the organization and should be mitigated with enterprise-wide security awareness and education.
You recently hopped in on the red flags trend on social media. Share with us, what are the most common indicators of flawed cybersecurity practices on social websites and apps?
Cybersecurity “red flags” on social platforms and apps often include things like a lack of privacy settings, questionable terms and conditions that authorize the use of your data (often data that’s not needed for the app) and third-party apps — like your favorite smartphone game or a photo editing tool — that don’t have the same security policies you accepted with the original social application. The apps you log in to can provide cybercriminals with access to your devices and networks in the long run, so it’s essential to be mindful of which apps you’re allowing to access your data. On the other hand, green flags could be the option for multifactor identification or advanced privacy controls.
It’s also important to make sure you’re practicing good cybersecurity behavior on the apps themselves. People often share too much personal information, which can then be a cybercriminal’s golden ticket into your accounts. The good news is, users can be proactive in mitigating a lot of this risk by using unique, secure passwords for each site or app they use, enabling multifactor authentication, and being mindful of what permissions they’re giving to apps or social platforms. In general, it’s best to take time to audit all three of these items to ensure that the app only has access to the data it needs.
In your opinion, what cybersecurity measures are a must-have these days, especially for securing remote workload?
When securing the increasingly remote workforce, three cybersecurity measures organizations should consider come to mind. First, implementing endpoint security to have visibility and control given the increased devices and threats that naturally come with a hybrid or remote workforce. Second, enabling and ensuring the use of multifactor authentication. This simple step can save organizations and individuals time, money, and brand reputation in the long run by making getting into systems more difficult. Finally, put a data loss protection (DLP) strategy in place. DLP allows leaders to have visibility into their data, its use within the network and ensure that security policies are applied correctly. Especially with the increased workforce churn given the “Great Resignation,” it is essential to have methods to prevent data loss or exposure.
Share with us, what’s next for Infosec?
Looking ahead, Infosec is continuing our focus on developing products that make cybersecurity education more accessible and engaging. This will involve continuing our investment into the Infosec Skills hands-on cyber ranges, rolling out new technical training courses aligned to the latest cybersecurity threats and skills, and launching a new security awareness series that will provide additional gamified experiences to learners. Making cybersecurity more accessible, we will be going live with our integrations into worldwide learning platforms like Coursera and Microsoft Viva Learning. We’re excited to expand our Infosec Gives initiative with a new scholarship program that we will be announcing in the upcoming months.