The onus of cybersecurity extends beyond all previous boundaries, and responsibilities no longer rest solely with uber geeks who engage in cyber warfare from sterile rooms with raised floors, whirring fans and blinking lights.
In fact, the single greatest asset to the cybersecurity workforce is the workforce in general. It is also its greatest liability. Valued and secured corporate assets are touched at different levels by all authorized users on a corporate network.
The cybercriminal could have many motivations for breaching the network from theft to fraud and blackmail, to just plain fun. Additionally, network attacks can range from unauthorized access to the denial and disruption of service. A cybercriminal’s varied methods for disrupting business and compromising assets and information creates an evolving environment that leaves your network assets vulnerable. The people responsible for those far-reaching assets are not cybersecurity specialists, but standard authorized users.
Recently, a certain manufacturer unveiled something called USB Kill. Simply put, it is a portable USB device that, when plugged in, rapidly draws power into its capacitors and then unleashes the stored energy in one fatal blow to the device in which it is plugged. The result is instant death to that device.
Obviously, this is not a hacking access issue. However, cybercriminals also seek service and asset denial on a large-scale basis from Distributed Denial of Service (DDoS) attacks to power grid manipulations. This particular threat illustrates an end-point vulnerability. And, in this case, end point means general asset holder, the workforce populous, who are lacking cyber awareness training at an alarming level in the corporate world.
Recently, I had a valued business partner tell me of an experiment they did where they randomly dropped 200 USB drives in high-traffic, public locations in Chicago, Cleveland, San Francisco and Washington, D.C. These thumb drives contained a text file that instructed whomever found them to send an email to a specific address and inform the receiver of where it was found. This “message in a bottle” experiment garnered alarming results, with 20 percent of the dropped devices garnering replies to the message on the USB drive. This means that those “found” USB drives were plugged into machines and the text file was opened and read. I cannot give you exact numbers, but it is not difficult to imagine that many of those USB drives were plugged into corporate owned assets. It is a looming question as to what would have happened if these had been “USB Kill” sticks, or even worse contained malware, ransomware or a remote code of some sort.
The workforce populous represents our true end-point security phase and, sadly, they are the least well informed. You can attribute that to a traditional education model where the available cybersecurity training consists of defending network assets through firewalls, network tools, and threat management policies, all of which do not apply to the general workforce.
Cyber awareness-level training is appropriate for all members of the corporate workforce, and reflects an organization’s true devotion to creating an educated and vigilant team. In addition to instilling the security virtues necessary to prevent an otherwise preventable issue, it serves as an excellent standard when mandated and deployed for all corporate network users as a best practice.
Global Knowledge is proud to offer a state-of-the-art cybersecurity product from CompTIA, a top-level security industry leader, called CyberSecure. Appropriate for all corporate citizens, it builds true cyber awareness in a highly interactive, self-paced format that can be completed in about an hour.