Cybernews – Fernando Mateus, Kymatio: “traditional forms of cybersecurity training are neither engaging nor effective”

Cybernews - Fernando Mateus, Kymatio: “traditional forms of cybersecurity training are neither engaging nor effective” 3

 Interview by Anna Zhadan – Cybernews

Over the last couple of years, we have seen numerous instances when a company’s data ended up compromised due to the actions of untrained employees. As organizations rush to secure their operations with the latest technology, why should it be any different when it comes to employee cybersecurity training?

Why is employee security awareness so important?

First of all, let’s look at the bigger picture: more than 90% of all security incidents involve the organization’s personnel.

While there are numerous technology solutions that protect the computer systems of organizations, it is the workforce that is exposed to different kinds of attacks carried out using Social Engineering. This set of techniques is used to deceive victims and obtain confidential information or to execute actions that benefit the attacker (and consequently, do damage to the victim). Usually, this is achieved by installing a malicious program that will later steal or hijack information or infect other systems. All in all, Social Engineering, which is often called “people hacking,” can pose many different threats.

How do you manage to keep cybersecurity training educational and, at the same time, entertaining?

Our AI uses advanced neuropsychology to identify and assign archetypes that allow us to go deeper into the concept of hyperpersonalization. At the same time, we launch personalized phishing campaigns to determine which aspects do the employees struggle with the most. We also provide training for users on techniques already used by attackers, like spear-phishing, adapted to each employee’s cyber archetype. To sum up, we base our training around the vulnerabilities of each individual, strengthening their skills to withstand social engineering attacks.

We are also different in the way we interact. We respect the valuable time of our employees and provide training via chatbot-based hyper-personalized interaction that is mostly run by user participation (an average of > 80%).

Another interesting service we provide is Kymatio Account Breach Scanner, which periodically analyses online repositories and detects the accounts of the organization exposed in security breaches of third-party services. This way, we raise data credential protection awareness, using real examples so the employee can understand the risk immediately.

We also perform Cyber Sentiment Analysis Assessment to identify other human risk elements like burnout and reduced alertness, which are key elements that can affect cybersecurity.

At Kymatio, we are not limited to written theory. Instead, we put security awareness to practice by providing each trainee with different cases that they need to solve.

In your opinion, what types of attacks are we going to see more of in the near future? Who is going to be the main target – individual users or large organizations?

Criminals not only threaten large technology companies or financial services but also simultaneously attack SMEs and citizens themselves. A great part of the attacks are random, and everyone is a target. So, no individual or company is safe because it is large or small: “Cyber-attacks can affect anyone.”

Organizations must pay extra attention to Social Engineering and Phishing, Malware and Ransomware, threats associated with remote work, and unintentional breach incidents.

Just talking about ransomware, we see a tendency: simple, double, and triple extortion:

  • Simple: initially the files are encrypted and the criminals hand over the encryption key only after receiving the ransom payment.
  • Double extortion: in addition to keeping the information encrypted, they publish it online. In that case, the company has to face a fine from the regulator for not properly protecting personal data. Fines aside, not paying and having the data published on the Internet has another component: reputational crisis.
  • Triple extortion: if payment is not made and if the victim has many online services, criminals proceed with DDoS (Denial of Service) attacks that can make these services inaccessible.

What can Internet users do to protect themselves online? Are there any security measures that you could recommend?

The first thing to do is to apply common sense and be less trusting. Before doing anything, we must think if that email is really from who they claim they are, if that link is safe, if that attachment is legit…

Then there are technical measures: we must activate antivirus and firewall protection, backup copies of valuable data, update our software, use secure passwords (double factor authentication is good practice), use encryption of critical information, learn and maintain cybersecurity awareness (best practices, phishing training, credential security, etc.)