Cybersecurity training isn’t working. And hacking attacks are only getting worse
The threat of cyberattacks is growing and much more needs to be done to educate businesses and users about risks in order to prevent widespread damage and disruption as a result of cyber incidents.
Events like ransomware attacks against utilities and infrastructure providers, production facilities and hospitals have demonstrated that cyberattacks can have very real consequences for people, restricting access to vital goods and services for days, weeks and even months.
But despite the risk posed by cyberattacks, many businesses and their boardrooms still don’t fully understand the threats they’re facing from cybercriminals and how to best defend their networks against them.
See also: A winning strategy for cybersecurity (ZDNet special report).
Part of the problem is that, for many businesses, cybersecurity isn’t ingrained into everyday operations and employees are only asked to think about it when doing annual cybersecurity training — leaving companies at risk from cyberattacks the rest of the year.
“I think one of the most important things to realise is most of the education and training done, it’s not very effective,” Stuart E. Madnick, professor of information technology and engineering systems at MIT Sloan Executive Education told ZDNet Security Update.
“The 30-minute video you’re obligated to watch once a year doesn’t do the job”.
According to Madnick — who has been at M.I.T. since 1972 and has served as the head of MIT’s Information Technologies Group for more than 20 years — organisations need to build a culture of cybersecurity that actively involves everyone.
If people have a greater understanding of how their organisation falling victim to a cyberattack could affect them, it could lead to everyone being more careful when it comes to cybersecurity.
“If somehow you think you play a role in defending your company, it’s important, but that’s not something we’ve been used to in the past, so you have to help people understand that,” said Madnick.
Many people associate cyberattacks or being hacked with having their personal information or bank details stolen. But the reality is that cyberattacks are becoming much more damaging and costly. Incidents, from ransomware attacks to data breaches or business email compromise (BEC) scams can cost organisations millions.
And as critical infrastructure and vital services become increasingly connected to the internet, there’s the additional risk of cyberattacks causing widespread disruption.
“One thing we’re just beginning to see now are attacks on the cyber infrastructure of organisations, like hospitals and power grids,” said Madnick.
“Imagine the electricity of London going out, not for an hour-and-a-half, not for a day, but for three weeks. That could be pretty serious,” he added, noting this isn’t just a fictional scenario, as Ukraine has previously seen power outages in the dead of winter because of cyberattacks, suspected to come from Russia.
That’s far from the only time hostile hackers have entered networks of critical infrastructure, with attackers detected inside the networks of American utilities providers. There’s the risk that it’s only a matter of time before attackers take advantage of vulnerabilities in industrial networks to cause damage and disruption.
If we don’t take this seriously we’re going to suffer serious consequences, he argues. “That’s why it’s so important to educate broadly on the implications of cybercrime,” said Madnick.
“The worst is yet to come,” he adds, noting how more and more of life now depends on technology.
For example, the rise of the Internet of Things (IoT) means basic appliances and sensors are connected to the internet — but, if they’re not properly secured, they’re just another avenue that attackers can use as a gateway to wider networks.
Madnick cited how something as simple as a toothbrush can be IoT-connected. While the app might give a user feedback on how well they’re brushing their teeth, a toothbrush that’s not secured properly could potentially carry cybersecurity risks. And more and more devices are being added to networks that won’t have been designed with IoT devices in mind.
“Almost every product, except a brick, will have a computer in it, so the number of devices that can be cyber-attacked is increasing exponentially,” said Madnick.
“The attack surfaces are multiplying all over the place and the consequences of these attacks are hard to imagine yet,” he added.