As companies make cybersecurity a core focus going into 2024, cybercriminals are adapting by developing sophisticated social engineering tactics, using AI to launch more effective attacks, and targeting new attack vectors. Corporate leadership needs to understand these shifts in the cyberthreat landscape to fully appreciate the harm cyberattacks can cause, inform employees about the latest cybercriminal tactics, and defend their organizations and customers from attacks.
Rethink cybersecurity in the AI era
Three-quarters of security professionals say cyberattacks have become more frequent, 85 percent of whom attribute this influx to generative AI. Cybercriminals use AI for a wide range of purposes, but one of the most urgent risks is the growing role of AI in phishing attacks. From deepfakes to AI-generated spear phishing messages, companies have to train employees to identify and resist more convincing phishing content than ever before.
AI has fundamentally changed the way CISOs and other security leaders should train employees to identify social engineering attacks. Now that cybercriminals can produce polished and targeted phishing messages at scale, employees need to pay closer attention to the psychological tactics that are at work, such as threatening language or a sense of urgency. Whether these tactics are deployed in an email or a fraudulent phone call, they will raise red flags among employees who are trained to look for them. No matter how advanced AI social engineering attacks become, they can be thwarted by educated employees.
Personalized cybersecurity awareness training is vital
Social engineering attacks work because they exploit universal psychological vulnerabilities: fear, obedience, greed, opportunity, sociableness, urgency, and curiosity. This is why cybersecurity awareness training has to be personalized on the basis of each employee’s psychological profile and behavioral tendencies.
According to the latest Verizon Data Breach Investigations Report, 74 percent of all breaches involve a human element. As cybercriminals increasingly take aim at victims’ individual psychological susceptibilities with AI’s help, it has never been more important to build awareness programs that address the specific behavioral profiles of each employee.
Modern workplaces require a cybersecurity culture
The workforce has never been more flexible, mobile, or digital than it is right now. From the explosion of IoT devices to the remarkable persistence of remote and hybrid work, cybercriminals have a growing array of attack vectors to choose from. This is why employees at every level of the organization need to be prepared to identify and thwart cyberattacks at all times.
While companies are prioritizing cybersecurity, they often treat it as a box to check with a couple of meetings or email blasts every year. This is nowhere near sufficient because breaches now cost companies a record-breaking average of $4.45 million and are happening more often. Cybersecurity has to be a core part of a company’s culture. This means firmly establishing the norm that all employees are responsible for cybersecurity and building an engaging, personalized, and accountable awareness program.
Accountability is top of mind for CISOs
Investments in cybersecurity are rising. PwC reports that 79 percent of companies plan to increase their cyber budgets in 2024, which is why it’s crucial for CISOs and other security leaders to demonstrate the ROI of these initiatives. This can be done with organization-wide security assessments and other forms of evaluation such as simulated phishing and individual behavioral analysis. Security teams also need to clearly explain essential cybersecurity concepts to all employees – including those without technical backgrounds.
Cybersecurity is also now a customer-facing imperative. Consumers have never been more worried about the integrity of their data – 86 percent of American adults say data privacy is a growing concern. This is why companies need to show customers that they’re doing everything possible to keep that data private and secure. Considering the major operational disruptions cyberattacks can cause, including interrupted services, guarding against cyberthreats will be increasingly tied to the quality of customer experiences.
Companies need to understand the full cyber impact chain
While cyberattacks are becoming more financially destructive, their consequences can extend well beyond immediate monetary costs. Cyberattacks can cause severe reputational damage, invite legal and regulatory scrutiny, harm employee morale, and even lead to lost jobs. Stolen customer data can appear on the dark web years later. Cyberattacks can spread to other organizations and infect employees’ personal networks and accounts. When security leaders educate their colleagues on the extent of the cyber impact chain, they will increase stakeholder support for robust cybersecurity by showing why it’s so critical.
There are two ways of thinking about the cyber impact chain: causes and effects. While the latter can show board members and employees what’s at stake, the former is what will ultimately keep the company safe. Everyone in the company needs to be aware of the attack vectors and psychological vulnerabilities cybercriminals exploit, which will help them identify cyberattacks in progress and prevent them from succeeding.
Despite AI’s rapid progress and evolving cybercriminal schemes, human beings are still capable of keeping a company safe from cyberattacks. When security leaders focus on fully engaging employees with training content, personalizing that content on the basis of unique behaviors and learning styles, and holding themselves accountable, they will make significant strides toward creating a culture of cybersecurity in 2024 and beyond.
