by Eric Jacksch, Cybersecurity Consultant
The cybersecurity threat landscape is rapidly evolving with the emergence of artificial intelligence (AI) tools. Like everyone else, hackers adopt these tools to improve their efficiency.
AI can be leveraged to make phishing, vishing, and other forms of social engineering easier and more scalable. Natural language processing can make fraudulent emails more believable and believable. Even voices can be convincingly imitated and used to request password reset or steal sensitive information.
According to Salesforce, two thirds of IT managers want to integrate generative AI into their business, although a larger percentage fear increased security risks. As organizations dive headlong into integrating AI into their daily workflows, we must address the associated security risks.
One way to do this is to recognize that criminals are getting better at exploiting human weaknesses. Put yourself in the hackers’ shoes, understand how they think, and therefore your approach cyber security the training will be very different. I found three important lessons about how to think like a pirate this will make your cybersecurity training more effective.
Artificial intelligence: training from a different angle
One of the most important questions to ask interns is: “If you were a criminal, how would you compromise your system?” » This question often reveals vulnerabilities you may never have considered. Once people understand how to exploit a system, they are more likely to recognize when these tactics are being used against them.
Use immersive training techniques, such as asking employees to create their own phishing emails or role-play social engineering attacks so they can see both the perspective of the attacker and that of the defender. Consider this example vishing (voice solicitation). The customer service representative falls prey to sympathetic ruse, but by seeing the attack in action you can understand the psychology of the threat and how to protect yourself.
Train in a relevant way
Programs should be suitable for both your business and your employees, and always consider your threat model – the particular combination of threats and vulnerabilities your organization faces. A hospital, for example, must protect health information in accordance with HIPAA standards, whereas an engineering firm cannot.
For training to be successful, tailor it to the employee’s unique role within the organization. Talking to an accountant about firewall rules makes as much sense as talking to a network. engineer on scams linked to payroll embezzlement. If people can’t see the connection between the information and their role, they’ll feel like you’re wasting their time.
Training must also be adapted to the personal lives of employees. There is a growing overlap between “personal” and “professional”, so help people avoid cyber attacks outside of work make training more relevant to them. If an employee’s phone is compromised, it could impact personal information and the business.
Train continuously
Cybersecurity training should go beyond a single lesson. The threat landscape is constantly evolving, and your employees need practice to keep their skills sharp. How important is continuing education? Seventy-six percent of employees surveyed are more likely to stay with their company when they have it. Employees invest in companies that invest in them.
Keep it fresh and exciting by developing game-like achievements. As employees return for additional training, the achievements create a sense of progression rather than repetition. Call on the experts and consider organizing a online seminar with a cybersecurity professional, allowing employees to learn from another perspective and ask questions live.
Use every tool at your disposal to help your employees stay alert and up to date. Promote ongoing awareness: Send updates via Slack or email to keep your employees alert to ongoing and evolving cybersecurity risks. And when possible, give concrete examples to employees. Have you had four fraudulent attempts to change payroll information this month? Talk to your employees about it. That makes it real.
Virtual reality (VR) can also be a powerful tool for creating an immersive experience. VR may look like “just” a video game, but That workseven in critical areas like surgical training. You’re trying to help your employees think differently, and virtual reality can put them in the shoes of a hacker so they can develop their security skills in a risk-free environment.
Where to start ?
From a hacker’s perspective, personal information is one of the most lucrative targets. Your training should help employees learn the following three essential security habits around protecting personal information, starting with password basics:
- Use good passwords. Hackers exploit the fact that humans are incapable of creating randomness, the key to a secure password. Use the password generator tool in your password manager, or a tool like Of the to create long and unique passphrases and create stories to make them memorable.
- Use multi-factor authentication (MFA) whenever possible. Hackers love to access accounts with just a username and password. To use hardware keys when it’s possible. Avoid texting.
- Use a good password manager, but don’t store MFA credentials, backup codes, cryptocurrency seed phrases, or other sensitive information there. Hackers would prefer a single point of failure. Compartmentalize your security.
AI will only become more powerful, and so will the cybersecurity threats it brings to the surface. By changing the typical cybersecurity training narrative, employees can stay one step ahead of hackers, protecting personal and business information from their wrath.