The New Monster in Your Closet — Cyber Attacks and How to Prevent Them by Training Your People
What are the critical cyber threats looming in 2024? According to a Department of Homeland Security report released in September of 2023, the top threats to watch out for include cybercrime, attacks on critical infrastructure, cyber espionage, emerging technologies and more.
Cyber attacks and subsequent data breaches or interruptions in productivity can be incredibly costly for businesses.
- The global average cost of a data breach experienced an increase from $4.24 million in 2021 to $4.35 million in 2022.
- Phishing accounted for 16% of the top attack vectors in cybercrime, with an average breach cost of $4.91 million.
- Breaches caused by stolen or compromised credentials amounted to $4.50 million.
Clearly, improving cybersecurity should rank at the top of every business’s to-do list.
ELB Learning sat down with cybersecurity expert Sai Huda, founder and CEO of CyberCatch, a defense-grade AI-enabled continuous cybersecurity compliance and cyber risk mitigation solution provider, and author of the best-seller Next Level Cybersecurity, to learn more about today’s cybersecurity environment and how businesses can prepare.
Q: What is the top cyber threat a business owner faces today?
Sai: You will be surprised to hear my answer. The top cyber threat is the human. Unfortunately, 74% of data breaches are caused by human error, according to Verizon’s 2023 Data Breach Investigations Report, which examined 16,312 cyber security incidents.
Here are a few examples of simple human errors that can cause big security problems:
- A human at a business clicks a link or downloads an attachment that is malicious in an email
- A human uses a poor password that can be guessed in less than a second
- A human misconfigures a server or is sloppy with code on a website
Why are these the top security threats? All these actions create a security hole that an attacker then exploits.
Q: Could you walk us through a real-life cyberattack scenario and how the business was impacted?
Sai: Let’s take one of the biggest attacks, the Colonial Pipeline. Most don’t know this, but it was human error that allowed the attacker to break in and install ransomware and cause a national emergency.
The Colonial Pipeline is the largest pipeline for transporting refined petroleum in the U.S. The attack forced it to shut down operations for five days, causing shortages of gasoline, diesel, and jet fuel—impacting 45% of pipeline operators and causing 17 states to declare a state of emergency.
How did this happen? The attacker used a Colonial employee’s poor password and dormant VPN access to break in. As there was also no multi-factor authentication, the attacker got to the billing system quickly and easily and installed ransomware.
Another recent attack, this time against the MGM Resorts in Las Vegas, Nevada, reinforces these points. In this case, it appears that the hackers found an employee’s information on LinkedIn and impersonated them in a call to MGM’s IT help desk to obtain credentials to access and infect the systems. The attack caused more than 10 days of disruption to the company’s casino, reservations system, digital room keys, payments, and other operational issues.
In addition to all that loss of revenue, MGM Resorts is now facing class action litigation in two separate lawsuits filed in U.S. District Court in Nevada in connection with the cyberattack.
Proper cybersecurity training could have helped prevent both of those attacks.
Q: Today’s workforce is more globally dispersed than ever. With the increase in working from home, what kind of new threats do businesses face?
Sai: Working from home increases the attack surface for a business because now the attacker has the employee’s home network to attack as a starting point. Then, they can easily pivot to the business. An attack can be as simple as cracking an employee’s poor password that they are reusing for multiple business tools and services.
Q: What preventive measures would you recommend to fill those gaps?
Sai: At a minimum, every single business must require multi-factor authentication (MFA) for their employees—whether remote or not. Simply requiring a username and password is no longer good enough. The next step is to roll out effective security awareness training for every single employee, whether full-time, part-time, or independent contractors.
Q: What’s the best way for a business to ensure all its employees are prepared to identify and prevent cyber threats?
Sai: The key to success is effective security awareness training, but not just any training. If you’re delivering a text-heavy, “Next” driven PowerPoint style training, it will likely be a waste of time and money.
The training must be engaging, sticky, and provide skills for the learner to quickly acquire so they can be a strong and effective human firewall. The training should teach how attackers think and behave and use real-life cyberattack cases.
For example, CyberCatch and ELB Learning recently partnered together to create a series of next-generation cybersecurity awareness training games. HackOps, the first in the series, is a highly engaging cybersecurity gamified course that combines the best of two entertainment worlds - movies and games - into an immersive virtual reality experience like no other.
In this game, learners role-play as an undercover operative for HackOps and learn how cyber attackers use common tactics, techniques, and procedures (TTPs) to break into the network, steal data, and install ransomware (e.g. spear phishing and exploiting vulnerabilities, among others).
Through realistic and engaging training that simulates how cyber attackers actually steal data and install ransomware, humans can become cyber smart and learn how to defend your business. Remember, 74% of data breaches are caused by human error. So a cyber smart business is a cyber strong business.
Interview conducted by ELB Learning with:
Sai Huda
Founder & CEO at CyberCatch
CyberCatch is an AI-enabled, continuous cybersecurity compliance and risk mitigation solution provider. He is a globally recognized cybersecurity expert, author of the best-selling book, Next Level Cybersecurity, and co-author of Canada’s national cybersecurity standard. He is the former GM, Risk, Information Security & Compliance, of FIS, a FORTUNE 500 company. Under his leadership, FIS attained the number one ranking in RiskTech100. Prior to FIS, he was founder & CEO, of Compliance Coach, an industry-leading compliance Software-as-a-Service provider. He is a founding board member at Cyber Center of Excellence and a board member at Classroom of the Future Foundation.