Gorodenkoff | iStock | Getty Images
With industries reeling from a wave of large-scale cyber attacks, businesses are looking for outside help to make sure their staff are aware of the latest threats.
James Hadley, CEO of Bristol-based tech start-up Immersive Labs, said it was difficult to ensure that the staff tasked with protecting their company’s systems were ahead of the ever-changing threats.
Hadley was a cybersecurity instructor at UK intelligence service GCHQ before setting up Immersive Labs to bring his training skills to corporate clients.
Its platform uses gamification tactics, constantly updating data on new malware threats and simulated attacks to train people in the best responses rather than the traditional style of a training course.
“This [courses] takes a long time and it dates really quickly, ”Hadley told CNBC. “There are always new attacks and new tools coming out all the time, so how do you keep this skill up to date?
Immersive Labs targets its platform at people working in technical roles on a daily basis, such as application developers and executives, who may be required to lead incident responses.
He said he has seen an increase in queries from companies scared of cyber attacks like ransomware that hit the Colonial pipeline.
“We are increasingly seeing a market demanding stress testing decision making. Our cyber crisis simulator, which puts people in the hot seat to make decisions during a ransomware incident, is becoming the hottest arrow. pointed from our quiver. “
But Immersive Labs focuses on training people working in already technical roles. This leaves many other professionals in businesses whose workflows and habits can be gateways for cybercriminals.
A recent survey by cybersecurity firm Arctic Wolf found that 73% of small and medium-sized businesses in the UK believe their staff are ill-equipped to respond to a cyber attack.
“At the end of the day, it’s true that people are the weakest link in cybersecurity,” Avi Shua, CEO of Orca Security, another cybersecurity firm, told CNBC.
Working from home has further opened up the scope for attacks in a business where people use their own devices or chat apps like WhatsApp to stay in touch with coworkers.
This reinforced the need for greater cybersecurity awareness among employees, but Shua said it was not that simple.
“We definitely need to invest in training, but I think we can’t rely on everyone being aware of cyberspace all the time. I think relying on that will fail,” Shua said.
“I’m in the cybersecurity business so I think about cybersecurity every day,” he added, but noted that staff in accounts, HR or other roles are busy with their own tasks. daily.
“If I am an accountant, I cannot think at every moment whether the communication I have is (secure). If this is your strategy, it will fail.”
“(The training) will improve an organization, but I think an organization needs to put more emphasis on tools that will significantly help their employees distinguish between legitimate and illegitimate communication.”
Alan Woodward, cybersecurity expert and professor at the University of Surrey, said focusing on training people in non-technical roles to be more cybersecurity aware tends to put too much weight on people. .
“The big problem with educating people, it tends to be a one-time exercise and we’re all human, we all forget and criminals are very smart in the way they manipulate us socially,” he said. .
Woodward and Shua both said the right approach is to combine technical solutions to detect threats and implement human processes for staff to follow, but without relying on each other.
Woodward added that companies should be wary of cyber snake oil vendors emerging after major attacks like the one on Colonial that promote training or other tools that promise protection.
“It’s kind of like dealing with anything online really. All you can do is research them, do your research, do a little bit of due diligence on them,” he said.
Ransomware is the biggest threat right now “a mile outside the country,” Woodward said.
With Colonial paying $ 5 million and JBS paying $ 11 million to recover their files, a business facing a similar ransomware problem will be grappling with whether to pay.
Hadley of Immersive Labs said that as a cybersecurity professional her position is to never pay as this only motivates cybercriminals to continue their mischief, but acknowledged that companies in this situation may think that they have no choice.
When a business is affected by ransomware, having effective backups is one way to get back on track. But backups also can’t sit idle, Hadley said, and companies should regularly check that these backups are functional and easy to restore. Thus, in the event of a disaster, we can rely on it.