Live demos bring corporate security awareness training to life and help leaders understand risk, explains Chris Monk, Director of Business Operations at Decoded.

‘Despite the company reportedly paying up within hours, the shutdown lasted for six days and resulted in fuel shortages at filling stations and airports across the East Coast.’

This year was the first time in three years that cyber attacks fell off the top spot in the Allianz Business Risk Barometer survey. That is somewhat unsurprising as it lost its crown to the clear winner of the year, the COVID-19 pandemic. Given the extensive damage to business from the COVID outbreak, it says a lot that cyber risk still came a very close second, only 2% behind the pandemic.

Despite the prevalence of fears about cybersecurity, it is still an area that is poorly understood by C-suite executives and non-executive boards. Business leaders are expected to be fluent in finance with the ability to scan a set of accounts to identify weaknesses. We expect them to be experts in judging risk and have a thorough understanding of geopolitics and how that might impact them and the organisations they lead. Yet too often, we accept that knowledge about cyber security is delegated, often through several layers of management, to a small team in the technology department.

We expect our c-suite leaders to keep businesses safe from risk and they are largely either experts in this or have enough of a conceptual understanding of how those risks might manifest that they are able to make informed decisions about them. No CEO would be happy if they were told the fire alarms in all their premises were faulty despite not being a fire prevention expert. However, for many CEOs, cyber risk is a black box; you wake up in the morning and you are told you have been hacked or you have not been hacked. This is not good enough.

Corporate security awareness training reveals fear

At Decoded, we are on a mission to change this and over the last five years I have had the pleasure of running cyber security awareness sessions with senior leaders of businesses around the world. I have worked with leaders in finance, banking, payments, mining, air travel, tourism, healthcare and retail. This summer, Decoded brought together a group of diverse senior business leaders from across industries and geographies for an immersive cyber security awareness session.

It can sometimes be tricky to persuade senior leaders to spend time on their own development and attend workshops. They are, of course, extremely busy and their time is both limited and valuable but the threat that cyber attacks now pose to businesses is so great that we found our invitees extremely keen to join us for the 90-minute session.

In advance of the session, we asked the attendees to submit any specific questions that they wanted to cover off. The questions that came in were a Pandora’s Box of cyber fears. Phishing, nation state threats, impersonation, infrastructure risks and compliance risks were all mentioned but there was one topic that came up time and time again: ransomware.

The rise of ransomware

Ransomware attacks have risen dramatically since the invention of Bitcoin (and other cryptocurrencies) in 2009. In its recent annual report, the National Cyber Security Centre revealed that there were three times as many ransomware incidents compared with the previous year. New payment methods have allowed criminals to receive payment anonymously and facilitate the attacks. In recent years there have been a spate of high-profile and damaging ransomware attacks that have had significant and real consequences for businesses and individuals.

In 2017 the WannaCry attack crippled the NHS in the UK, leading to the cancellation of all non-emergency surgery over a weekend. At the time I was based in Decoded’s Sydney office and it became a matter of great national pride that Australia largely escaped unscathed.

Whilst the, then government, claimed that this demonstrated how robust the country’s cyber-defences were, the more cynical amongst us were suggesting that it might be more to do with timing: the peak of the attack was around the time Australians were packing up and heading to the pub on a Friday evening. By the time Monday morning in Australia (and everywhere else in the world) rolled around, the attack had been stopped by the heroic efforts of an unlikely hero, Marcus Hutchins.

Attack vectors

More recently, the American oil Colonial Pipeline had to be shut down in response to hackers taking control of computer systems and demanding payment of $5m USD. Despite the company reportedly paying up within hours, the shutdown lasted for six days and resulted in fuel shortages at filling stations and airports across the East Coast.

For you

Be part of something bigger, join the Chartered Institute for IT.

The amazing feature of both of these attacks is how simply they could have been avoided. WannaCry only affected the NHS so badly because the NHS had failed to apply a critical security patch released by Microsoft. It transpires that the Colonial Pipeline attack was possible due to a single compromised password that had been discovered linked to an employee, in an unrelated data breach. If that employee had followed the rules and not reused passwords, then unwarranted access would have been blocked.

During our CEO corporate security awareness training session, we discussed both of these case studies, as well as taking a deep dive into the infamous ‘Target hack of 2013’. During that deep dive, we did not just discuss the attack but actually recreated it from the ground-up including the reconnaissance on Fazio Mechanical, the crafting of a malicious payload and explored some possible delivery mechanisms. We also launched a smishing attack against (and with) all the attendees. We also cloned a UK Government website and we finished by decrypting stolen credentials from the 2012 LinkedIn data breach.

The value in demonstrating how cyber attacks happen rather than simply talking about them is huge. Not only does it engage the audience (and an engaged audience learns more), it is also vital in enabling senior leaders to begin to understand the mindset and the techniques of cyber-criminals. It is only through spending time investing in this understanding that c-suite executives can improve their knowledge and skills, and through that, hope to keep the organisations they lead safe.