Companies today face enormous cybersecurity challenges, losing hundreds of billions of euros collectively every year due to data breaches exploited by hackers. Cybersecurity is famously hard, and attackers are increasingly adept at circumventing our cyber defenses. Cyberattacks have caused significant damage for individuals and companies in Iceland and abroad. The exponential growth of cybercrime worldwide has been a stark, consistent and alarming trend as can be seen clearly from this infographic bit.ly/30kDataBreaches.

Across the financial, ICT, transportation, critical infrastructure and services (healthcare, government and energy) sectors, the loss from cyber-attacks ranges from €1.6 - 10.8 million/year per organization or €208 billion/year (1.6% of GDP) in the European Union alone [1].

In trying to minimize loss, companies spend significantly more resources on attempting to hinder software vulnerabilities from being exploited (reactive security) than to prevent software vulnerabilities from existing in the first place (proactive security), although proactive security is the only realistic strategy to get ahead in the arms race against cybercriminals.

According to a recent Gartner report, 90% of companies consider cybersecurity to be an afterthought, and their control strategies are focused on ‘firefighting’ when attacks occur, rather than preventing them [2]. This suboptimal strategy causes enormous loss derived from cyberattacks, since remediating a defect when software is already deployed in production can cost 95× more than in previous stages [3], involving system downtime, damage to brand, loss of customer trust and even liability costs.

Lack of understanding

An obstacle for adopting a more proactive approach for software security is the lack of adequate training of IT personnel. As a chilling illustration, the most common kinds of software vulnerabilities in 2007 and 2017 compiled by OWASP are largely the same, suggesting a significant lack of understanding of security issues among software developers and an overall failure of education. Since security is defined as the absence of vulnerability, an abstract notion, developers must understand vulnerabilities to avoid making the underlying mistakes.

Furthermore, there is a lack of training both for security-specialized personnel as well as for general users. Companies and administrations are aware of the importance of having an effective security policy and well-trained staff, but how to apply them to improve the security level is an unanswered question, that has been addressed as one of the main challenges in cybersecurity by the European Commission [4]. This inconsistency has formed a gap between security policy and their proper implementation within companies.

Conventional training

The best strategy to counter cybercrime lies not in technological security solutions but rather

well-trained individuals who understand security threats as well as their adversary’s mindset and can adapt to new attacks.

Unfortunately, proper training has been lax, owing to inappropriate and ineffective training methods, a lack of follow-up, and a dearth of qualified mentors. The availability of application security training is scarce, even in universities teaching computer science, security is at best an optional course. 

Within companies, developers are typically trained in writing secure code through an annual or semi-annual presentation covering the OWASP Top 10. Yet such presentations have limited impact since people are unable to fully internalize and understand the security issues and to avoid the problems in practice. Research has shown that with passive learning (reading, hearing, watching) you only remember 10 - 30% of the content 2 weeks later, while with active learning (doing yourself) you remember close to 90% [5].

Barring proper training, developers will continue to write insecure code, which can be costly for a business when vulnerable code is exploited resulting in a massive data breach.

Companies have the option of organising an internal seminar with the caveat that it has to be held multiple times to get full participation as projects, vacations, travelling and other priorities override peoples attendance.  This has such cost and planning overhead that in effect, the seminars become rare, resulting in new employees having delivered a lot of code to production before getting any security training. 

An alternative for companies is to ship people to external security seminars, which usually results in a handful of developers going, leaving the rest without any training.

Self-service leads to effective learning

One of the services offered by Syndis has been application security training where developers are typically trained in writing secure code through an annual slide presentation covering the OWASP Top 10. Soon it became evident that this was not the optimal way to get the message through and a more hands-on alternative for participants was created to compliment the training. 

To fully mitigate the above mentioned downsides of the conventional training and to tackle the lack of cybersecurity training at scale this evolved into an online platform now called Adversary (adversary.io) that allows IT personnel to go through training entirely hands-on, instead of the lecture-based focus used in academia. People put themselves in the shoes of the attacker and learn why vulnerabilities arise, and thus they begin to understand how to properly identify and mitigate critical flaws.  Gamification is used to make the platform fun and engaging for employees while they learn about security problems and the “Hacker mindset“. Also, when new attacks and types of vulnerabilities come out, content is updated so that the users stay abreast of the cybercriminals latest methods and thus better manage their risks.

For managers, the platform allows the monitoring of individual employee progress, giving a rare measure of the security understanding of the employees and to identify technical areas of improvement for their teams. Based on their needs, managers can define specific training campaigns for their teams, such to meet required certifications like ISO/27001 and PCI.

Having such self-service training readily available at any time allows companies to train new employees at the moment they enter the company, not having to wait for the next round of lectures. It can be made an integrated part of the hiring process, accurately assessing the security knowledge of candidates as well as enabling continuous training to keep existing teams up-to-date with new security threats.

Author: Steindór S. Guðmundsson, CEO at Adversary https://www.adversary.io/

References:

[1] https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis

[2] RSA Conference 2017 https://costofadatabreach.mybluemix.net/

[3] European Commission (2017). EU cybersecurity initiatives working towards a more secure online environment

[4] Dale’s Cone of Learning  http://www.qscience.com/doi/pdf/10.5339/qproc.2015.elc2014.6