Strengthening Cybersecurity with Targeted Awareness

Security awareness is one of the core pillars of any effective cybersecurity strategy. Unfortunately, organizations unintentionally downplay its importance in favour of generic, one-size-fits-all programs that fail to address their unique needs.

Cybersecurity awareness, like other aspects of cybersecurity, has its roots in the military, where the knowledge of incoming threats and adversary capabilities is referenced in the preparedness and resiliency against enemy tactics and potential attacks. If adversaries develop new attack tactics, techniques, and procedures (TTPs), an army that has not adapted will struggle to defend itself effectively.

Just as military forces would prepare for a variety of threats, the security awareness efforts of your organization must likewise be dynamic, adaptable, and aligned with real-world risks. Today, many enterprises treat security awareness training as a repetitive exercise focused solely on phishing and password policies. This narrow focus can leave an organization vulnerable to the array of tactics, techniques, and procedures (TTPs) employed by modern adversaries. Let us explore ways to transform your security awareness initiative into a powerful tool that bolsters resilience against cyber threats.

THE PITFALLS OF A NARROW SECURITY AWARENESS PROGRAM

Adversaries are constantly evolving and do not follow a one-way street. They learn, adapt, and grow. A security awareness program that repeatedly highlights the same threats without addressing emerging ones is like applying a salve to a single sore eye while ignoring the broader ailments of the body. Such a program risks creating blind spots, leaving your organization vulnerable to the threats it seeks to defend against.

To break free from this narrow focus, consider the following strategies:

1 Align Your Security Awareness with Security Monitoring. Your security monitoring program should be more than a detection and response mechanism for incidents — a source of actionable insights into your organization’s vulnerabilities and patterns in human errors that can be directly addressed in your security awareness training. Additionally, incorporating observations from your monitoring program into your attack simulations will make them more realistic and relevant, providing your employees with practical experience in handling real-world threats.

Feeding real-time data from monitoring tools into your awareness training ensures that employees are trained on the most current and relevant threats rather than relying on generic, outdated material.

2 Incorporate Threat Intelligence into Your Awareness Program. Threat intelligence is vital to staying ahead of adversaries, providing insights into the latest TTPs used by adversaries. Integrating threat intelligence into your awareness program provides employees with the capability to stay informed about emerging threats specific to your industry or region.

For example, if your threat intelligence indicates that a particular strain of ransomware is targeting your industry, you can quickly update your awareness program to train employees on the signs of an impending ransomware attack. Your workforce, in turn, will become empowered to function as a first line of defence in identifying potential threats before they can cause considerable damage.

3 Contextualize Security Training with Real-World Scenarios. A major pitfall of security awareness programs is the one-size-fits-all approach. Realistically, different departments face unique security risks, so training should reflect the specific threats relevant to each role.

Data from security monitoring tools and threat intelligence can help to create real-world scenarios. For example, if there is an uptick in phishing attempts against the finance team, simulate these in training. IT staff might need to understand the impact of a misconfigured firewall, while HR needs to focus on safeguarding personal data. Using real-world data ensures training scenarios are current, and threat intelligence keeps them aligned with the latest adversary techniques, giving employees practical and engaging experience with the types of attacks they might encounter.

4 Continuous Learning and Adaptation. Cyber threats evolve rapidly, and so should your training. Security awareness should be treated as an ongoing process, updated regularly based on new threats, incidents, and employee feedback.

For example, security monitoring tools can provide insights into how well employees respond to simulated attacks. If your monitoring data shows that employees repeatedly fall for certain types of attacks — like social engineering or ransomware — this signals a need to revisit and reinforce those areas in your training.

Employees should be encouraged to share security concerns, report suspicious activity, and stay engaged with the latest trends in cybersecurity. It makes your workforce an active part of the defence strategy rather than passive participants in a static program.

OVERCOMING CHALLENGES

Balancing security awareness programs with internal business politics is a big challenge. Executives may push for simplified simulation exercises for higher pass rates, avoiding employee embarrassment and protecting morale. However, this weakens the program and leaves the organization vulnerable.

For example, one company simplified phishing simulations, leading to high pass rates but a false sense of security. When an actual spearphishing attack occurred, employees were unprepared, resulting in a data breach.

Recommendations:

• Communicate Risks: Help executives understand that realistic simulations prevent costly incidents by focusing on risk management.
• Align Goals: Show how security supports business objectives like maintaining customer trust and long-term resilience.
• Provide Evidence: Use metrics and case studies to demonstrate the effectiveness of stronger simulations.
• Offer Compromise: Start with easier simulations to build confidence, then gradually increase the difficulty to reflect real-world threats better.

CASE STUDIES: GENERIC AND MISALIGNED PHISHING SIMULATIONS

Example Inc., a multinational firm conducted a phishing simulation to enhance its employees’ ability to detect phishing emails. However, the simulation was flawed as it only included generic, easily detectable phishing emails — to recognize low-hanging threat indicators and have an excellent performance rate.

Despite their success in the simulation, the employees failed a real sophisticated spearphishing campaign. The attackers crafted personalized and convincing emails that bypassed the employees’ defences, leading to a significant data breach.

The data breach led to the exposure of sensitive corporate information, financial losses, and damage to the company’s reputation, highlighting the gap between the training provided and the current threat landscape.

Lessons Learned:

1. Training programs must incorporate realistic scenarios that mirror the tactics used by actual adversaries.
2. Regularly update training materials and simulations to reflect the latest threat landscape.
3. Customize training to address the specific risks encountered by different roles and departments.
4. Provide employees with hands-on experience through simulations that mimic real-world attacks.
5. After each simulation, use specifics in the concluded simulation to review the spot checks for your employees and gather critique from participants to identify areas for improvement.

ADAPT, EVOLVE, AND MAKE IT MATTER

Your security awareness program should be as dynamic as the threats it aims to mitigate. By leveraging security monitoring, integrating threat intelligence, and encouraging a culture of continuous learning, you can create a program that is not just compliant but genuinely effective.

Remember, the goal should be more than training your employees. It should aim to empower them to become active defenders and security-conscious ambassadors of your organization.