Twenty years ago, cybersecurity awareness might have meant that you should update your antivirus definitions twice a year or so.
Things have come a long way since then, although it has only really been during the last 6-8 years that we have made strides as an industry in getting workers and the public up to speed on the current threat landscape, and we still have a long way to go.
Part of the challenge is that the goal posts are always moving – just as you bring out an innovative, exciting course on the latest threat trend, a new threat variant emerges or a new type of vulnerability gets exploited, and so the cycle continues.
Recently, the importance of training at board level, along with senior managers and other decision makers, to inform them of key cyber-related business risks and threat trends has become critically important, particularly in the light of supply chain attacks on purchased services and software from upstream providers.
Choosing the right business partners based upon their security and privacy investments and compliance, in tandem with the quality of their solutions, has become critical in today’s world.
With the fast pace of change comes other challenges, such as generative AI and large multimodal models. These have gained amazing traction in the mainstream, and their potential uses are still becoming understood, but cybercriminals are also learning how to harness their power.
In the past, we could train users to look out for spelling mistakes, bad grammar and naïve use of language to help them to defend themselves, but now the criminals can automatically generate highly believable and compelling content to use in their attacks.
Additionally, since these models can even write computer code for you, this is opening the door for attackers with lower skillsets to achieve new capabilities through the generation of malicious code, helping them to distribute their phishing emails and to track and automate their responses when users click on their links.
Of course, AI continues to help defenders to detect malicious messages and calls, but it does take defenders time to catch up as new attack techniques evolve.
Other misuses of AI such as use deepfakes in vishing attacks are another challenge for training organisations – we are rapidly moving forward to a time when we will need secret authentication codes or other methods to validate that a call or message has really been made by the person you believe it to be. For now though, awareness of such techniques is essential.
It has been great to see the evolution of cybersecurity awareness content – making it engaging to its users is fundamental to delivering the promised security benefits of exposing users to these types of systems.
In the early days, the training would be very bland and dry, and it would not really help users to understand the background to the threats they are facing. Now we have fantastic content that really helps to get the message across while keeping users interested and entertained.
What about senior citizens and those more vulnerable? Here we still have much work to do, finding ways to engage with more challenged users is a greatly important challenge to which the industry needs to rise.
We may be able to train and thus protect the majority of users in terms of activity volumes, but those who have less access to, and experience of, technology are particularly at risk.
The cybersecurity awareness training market is still growing very rapidly and is due to exceed $10 billion dollars per year by 2027. That is a staggering growth of over 1000% over a 14-year period, so indications are that that the solutions are indeed mature, but expanding rapidly in terms of coverage and exposure to new users around the world.
Despite this, the sliding doors encountered when traversing the cyber threat landscape ensure that no training solution will ever be able to stand still, no matter how successful it may be at any point in time. Growth and innovation are non-negotiable in this space.
An unexpected boost to general public awareness of scams has come from groups of “scam baiters” – including “grey hat” hackers with pseudonyms such as Jim Browning, who post videos showing scam call centres in action after they have been able to “hack the hackers” and inform law enforcement about their activities.
This is eye-opening content, and it draws many online views – each one helping to tell the story of how these scammers operate. The better informed we all are about scams and cyber threat actors, the more ready will be our defences, however these activists are skirting the limits of what is legal – hence maintaining their anonymity.
We certainly will never reach a utopia where all users are so aware of the online risks they face that they can fend off all attacks, but it is great to see the progress being made by industry and individuals alike, it is also good to see increasing mandated awareness training for various industry compliance regimes and a maturing and consolidating market of cyber awareness solutions.
Perhaps our maturity levels are that of a teenager, but now reaching drinking age, and I’ll raise a glass to that!