Threats to cybersecurity and data privacy continue to evolve, and 2017 will be no different.
A sampling of recent prediction articles bears this out. Data breaches will become better targeted and cost more. Hackers will find more avenues to access sensitive data in order to make money off of it. Ransomware will “spin out of control.”
But that’s not my angle—I’m interested in the human side, in how you get your employees to secure your organizations against these threats. With employee awareness on the brain, I wanted to look at the coming year through the lens of training and education.
Here are five trends I think will affect security and privacy awareness best practices and strategies among employees for 2017.
Giving the People What They Need
2017 will see an increase in hyper-targeted learning, led in part by a rise in popularity in user behavior analytics and ambient knowledge.
As Gartner analysts Matthew Cain and Stephen Kleynhans write, ambient knowledge is an algorithm-driven way of delivering customized information to users based on user activity. Most of us encounter ambient learning on a regular basis, as sites like Amazon and Netflix use this concept to deliver recommended content based on past actions.
In 2017, we will undoubtedly have more ways to know who’s doing what. These emerging technologies will give us more insight into the behavioral risks that exist in our organizations and greater ability to deliver the right content at the right length to the right people. The better aligned awareness content is to an organization’s unique risks, the more effective it will be.
The popularity of microlearning will continue to grow as the most viable approach to combatting the “forgetting curve.” It’s about time!
Put simply, microlearning is the practice of delivering small bits of learning content over short periods of time. The theory behind microlearning presumes that learners have relatively short attention spans and will not learn anything sitting through hours of training at a time.
In practice, microlearning can also be built into an organization’s training deployment strategy to deliver training when it is most needed. Say, in the privacy awareness space, if an employee saves a sensitive document to an unsecure location, you could deploy a unit of microlearning (like a short video) to get them back on track. In this way, microlearning can bring a great amount of flexibility to an overall learning structure in terms of both training content length and delivery.
In response to this trend, awareness vendors will be expected to deliver learning content of varying lengths to fit the varied learning styles of users.
For more, check out our white paper on microlearning.
Sick and Tired of Security: Battling “Security Fatigue”
One of the more intriguing studies of 2016 was research coming out of the National Institute of Standards and Technology (or NIST, the developers of the oft-cited NIST Cybersecurity Framework) that tells us something we likely already know: “security fatigue” is real.
The NIST researchers found that the average user gets so tired of deploying security precautions and are so unconvinced that their actions matter that they willingly behave in ways that imperil both themselves and their organization. Anyone who has re-used a password, connected to an open public network for “just a minute,” or sent a work document to a personal e-mail address—and after all, isn’t that all of us?—knows what it is to feel “security fatigue.”
The challenge for those of us committed to overcoming security fatigue is to create arguments for security and privacy that are either so compelling or so easy to implement that there is no reason not to. How exactly this can be done remains to be seen, but I do believe that 2017 will see more creative ways to solve this problem than ever before.
They’re Coming After Your C-Suite
CEOs and other executives represent some of the most attractive targets for cybercriminals seeking sensitive data to sell on the black market, and they will continue to be big targets in 2017. Executives are the ultimate privileged users in most organizations; they have the highest level of access and knowledge about company networks and infrastructure.
The business email compromise (BEC) scams of 2017 will likely continue and morph, as cybercriminals try to dupe those with access to C-suite email addresses, as well as C-suite members themselves into fund transfers. Over the last three years, the FBI reports that spoofed CEO emails cost companies $2.3 billion.
It’s a real problem, for those with the metaphorical “keys to the kingdom” have immense pressures on their time and resources, making them susceptible to social engineering. All it takes is one errant click of a mouse to give an attacker access to an organization’s sensitive client data and other records.
The problem is these same folks are also too busy, too distracted and “too smart” to participate in conventional cybersecurity training. That’s why we expect to see a heavier focus on security and privacy awareness training tailored specifically to executives. Executives need to know the same security and privacy lessons as any other employee, but it has to be delivered in their language.
Privacy Served with a Side of Privacy
There will be an even greater focus on privacy concerns in the corporate world, with the GDPR coming down the pipe. Privacy by Design—mandated by the GDPR—will get worked into every software product and technical solution out there. This includes employee awareness.
Because the GDPR is far-reaching, I believe it will change the dialogue on the importance of privacy protection from the executive level down to the employee level. Put another way, we feel the GDPR will encourage privacy to be thought of as everyone’s responsibility, as it should.
This new discussion will be happening not just in companies that have already been in compliance with the data protection directive but also across companies of all industries.
Additionally, the GDPR in no uncertain terms calls for privacy awareness training. For example, article 39 section 1B makes an organization’s data protection officer responsible for assigning “awareness-raising and training of staff involved in processing operations.” With this much regulatory pressure, organizations will be well served to bake privacy concerns into all they do or pay the consequences.
The Next Big Threat Is….
The next big threat is…. That’s really the question, isn’t it?
Trouble is, no one can really know what it will be. Late in 2016 we saw the IoT getting implicated in massive DDOS attacks, and it seems likely there will be more on this front.
One thing that we see as more certain, though, is that the next attacks will circumvent technological safeguards and seek ways to exploit human weakness. For all that changes, one thing will remain the same: cybercriminals will keep coming up with new ways to trick your employees.
Is your workforce prepared?
About the Author: Tom Pendergast is the chief architect of MediaPro’s Adaptive Architecture™ approach to analyze, plan, train, and reinforce to deliver comprehensive awareness programs in the areas of information security, privacy, and corporate compliance. Tom Pendergast has a Ph.D. in American Studies from Purdue University and is the author or editor of 26 books and reference collections. Tom has devoted his entire career to content and curriculum design, first in print, as the founder of Full Circle Editorial, then in learning solutions with MediaPro.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.