Even though everyone knows that cyber threats exist and are extremely active in cyberspace, only a few can strongly say that they know how to effectively mitigate them. Unfortunately, the human factor plays an important role when it comes to cyberattacks.
In fact, malicious threat actors often take advantage of people who lack cybersecurity knowledge to infiltrate their systems with malware or use them to attack the whole company network.
For this reason, we talked with Ragnar Sigurdsson, the Co-Founder and the Head of R&D at AwareGO. He explains how cybersecurity awareness training can significantly reduce the risk of attacks and lists the most prominent threats to look out for.
What was the vision behind AwareGO? Can you tell us more about your story?
AwareGO was founded in 2007 by me and Helga Steinthorsdottir. From 2003 to 2007, I was a penetration tester where I learned firsthand that to keep systems safe. I had to address more than just the technical parts. I had to focus on the users of these systems – the people. When I held seminars and lectures about best cybersecurity practices for employees, I soon found that people would quickly lose interest and doze off or stop paying attention. So, I decided that to keep people interested, the material had to become more fun and interesting. This is why AwareGO was founded – to train people in a short and fun way with videos instead of long lectures with high costs.
You stress that security awareness should be enjoyable. How do you manage to keep your training videos educational and, at the same time, entertaining?
Our methods build on expertise from security experts, behavioral scientists, and marketing people. We believe they have mastered the way to bring memorable messages to people by nudging them in the right direction. In every video, we try to thread the thin line between educating and entertaining to make the users aware of the risk, how to mitigate it, and understand why they should care. We try to do all this memorably, using humor and concepts people can relate to, to increase the likelihood that the users will remember and react correctly when they are exposed to threats.
At AwareGO, you place a lot of attention on sustainability. What are your key principles, and what was the reason behind this approach?
We have this vision of making the world a safer place in terms of cybersecurity but we also emphasize not leaving it worse off environmentally than how it was handed to us. We believe that cyberspace has made the world smaller. It saves CO2 emissions on travel and can enable people to work from home which also has a positive effect on CO2 emissions due to traffic. Therefore, by making organizations be able to use the Internet securely and minimizing their risk, we believe we are helping, even if just a little. To combat the fact that the Internet is reliant on power and has its own carbon footprint, we try to offset it as much as we can. That includes recycling our trash, buying used furniture for our office, and encouraging our employees to do the same on a personal level. For example, by using environmental means of transportation or working from home.
Since the pandemic proved to be a test for cybersecurity specialists worldwide, what would you consider to be the main takeaways?
The main test was to have a secure working environment when working from home and not behind the company firewall. People behave differently at home than at work and things that are less risky at the office can become risky at home, such as data handling and document storage. Remote work and remote meetings do work and people want to have this option. Companies were forced into a new era where their technological infrastructure, security measures, and policies matter more than ever for them to be able to continue doing business and offer an attractive work environment for employees, but still protect themselves from cyberattacks.
In your opinion, what types of attacks are we going to see more of in the near future? Who is going to be the main target – individual users or large organizations?
I think we will see more ransomware attacks. With the rise of Ransomware as a Service, criminals who were not associated with cybercrimes now have these tools in their arsenal. They can now attack people and organizations that they have some knowledge of rather than deploying a generic mass attack on email addresses from abroad.
Recently we saw an attack that halted the business of Toyota. The attack was not made on Toyota but one of their suppliers. Toyota, as a large enterprise, is probably well protected against cyberattacks while their smaller suppliers may be seen as easier targets. Cybercriminals will find ways to disrupt important and expensive supply chains all over the world and no link in the chain is too small for them. Small and medium-sized businesses are increasingly being targeted as their security posture is generally less robust.
Why do you think certain companies often overlook employee cybersecurity training?
I think this is especially the case with small and medium businesses. They are less likely to have a person responsible for cybersecurity training or a budget allocated for cybersecurity. If they do have a budget, it is mainly spent on technical solutions. Because of data protection laws, more and more SMEs have been doing some kind of cybersecurity training to check a box. We are now seeing a shift in the market from compliance or check in the box towards risk management as the human factor in cybersecurity cannot be overlooked anymore.
In light of the growing ransomware incidents, what can companies do to protect themselves? Does it come down to updating security measures or providing training for the employees?
It will always be both. Companies will always have to put strong technological solutions in place, such as antivirus software and firewalls. But because those solutions have become so advanced, hackers are increasingly turning their attention to simply hacking people. These solutions are only as strong as the people who use them. If the people are unaware of the risks or think that no matter what they do online, the company’s firewall or antivirus will catch it, they pose a major threat to their workplace. This is why training employees is important too and should not be overlooked. In fact, 85% of successful cybersecurity breaches can be traced to some kind of human manipulation, be it downloads from spoofed websites or opening infected attachments in phishing emails. Cybersecurity training could give companies up to 5 times higher return on their investment if you factor in the cost of cybersecurity breaches, downtime, fines, and lost data.
With work from home becoming the new normal, what are the most prominent security threats that the workforce should be aware of?
Phishing is and will continue to be the number one method of hackers. Whether they are large-scale hacker communities trying to infiltrate and infect a whole workplace with ransomware and spyware or smaller players trying to trick individuals out of a small sum. They will continue to rely on all types of phishing – via email or text messages, phone calls, and dating apps, and even by creating fake ads and websites to do search engine phishing.
We have been focusing a lot of our attention on teaching people about phishing, how it is done and why it is done. We’ve even created a whole guide to phishing called AwareGO’s School of Phish, which we are giving away for free to help out, as well as this “Think before you click” infographic video about phishing.
Other specific working from home or hybrid work threats are for example using unsecured home wifi, sending work files to your private email address or data storage, leaving your work computer unattended, or leaving sensitive documents out in the open. Data security is a big part of the risk involved when your home becomes your workplace. We covered this in more detail in our Guide to Hybrid Work and Cybersecurity which we published late last year.
And finally, what’s next for AwareGO?
We will continue to monitor trends in cybersecurity and react by adding relevant micro-learning videos to our growing catalog. We can cover new threats very fast because our company setup is very agile. We have also created and designed a Human Risk Assessment which, at this moment, is only available to our partners and enterprise clients but will become available to SMEs very soon.
The Human Risk Assessment was created by cybersecurity and human behavioral experts to help organizations measure and identify their cyber risk in multiple threat areas. This goes well beyond any phishing simulation available today and also measures how employees handle passwords and sensitive data for example. Organizations can then select the relevant training to remedy vulnerable areas. Our clients will be able to use this tool to get a baseline of their cybersecurity score before administering any training and to see the result of their training afterward.
All our products are in constant development, meaning we add content, assessment questions, and risk areas that we tackle regularly. In the future we plan to make our platform more AI-based, meaning that the platform will be able to take care of assessing and remedying employee knowledge and behavior automatically.