Enterprise CISOs face the disproportionate challenge of recruiting all of the company’s employees to provide a common front of defense against cybercriminals’ increasingly numerous and sophisticated attempts to use them as an entry vector.
Carlos Pérez Saldaña, CISO of Abanca, and Javier Ruiz de Ojeda, GRC expert of Áudea, know this well. The following lines describe the project that Abanca, in conjunction with Áudea and Kymatio, are carrying out with an express focus on the operation (and constant redesign) of a Security Awareness Office. This experience was presented for the first time in the last edition of Securmática (abstract of the paper available in the 158th edition of the revistasic158.pdf ) of which we make an excerpt in this post.
Although the cybersecurity market produces new and better solutions to help with this problem, the head of Security encounters the added difficulty of having to orchestrate all these elements in an integrated way and to obtain the synergies that result from combining them in an optimized way.
“Attackers constantly resort to human error as an entry vector, precisely because it allows a shortcut when it comes to overcoming defensive measures”
In addition, there are few organizations that can afford to have internal staff dedicated exclusively to the awareness of their employees, so it is necessary to resort to external services that can provide the necessary specialization and experience to face an enemy that dedicates all its time to the creation and dissemination of new social engineering and extortion attacks. Over the last few decades, this has made it possible to evolve defensive tools from pills and conversations with employees (which still maintain a certain effectiveness) to simulate attacks so that they can train their defensive capabilities, or even use artificial intelligence functions to design personalized training itineraries that impact employees in an optimized way based on their experience. skills, position, technological tools, etc.
Abanca’s approach involves segmenting awareness-raising actions into three domains:
1.- Increase employee knowledge
Increase their theoretical knowledge of the types of attacks they can suffer, the defensive strategies they can follow, and the agencies they can ask for help.
2.- Train their behavior
Train the safe behavior of the employee by proposing practical situations and simulating realistic attacks to improve and measure their response to them. In this case, the ability to technologically simulate these attacks and measure the results of their life cycle must be available to observe what difficulties employees encounter and how to guide training in the future.
3.- Improve your commitment to the bank’s cybersecurity mission
Increase employee commitment to the bank’s cybersecurity mission, making them understand the importance of helping in their defense. This component is often left aside, but it is essential to understand why certain employees, despite knowing the behaviors they must follow, may not do so, as it may be a motivational problem. To do this, it is essential to have the ability to establish personalized itineraries that reinforce the topics that each employee requires.
“The use of the Kymatio tool that applies AI technology is indispensable, as it is the only way to achieve the level of granularity in training with its ability to continuously measure both knowledge and behavioural change.”
The ABANCA team’s article emphasizes the use of Kymatio’s AI technology, personalized training, and simulation of realistic attacks to measure and improve employee responses.
In addition, it highlights the importance of effective communication strategies involving various departments such as HR, Training, Change Management, and Communication to ensure the success of the project.
The study also delves into the need to measure the effectiveness of awareness-raising activities by establishing relevant indicators. These indicators should not only reflect the current state and evolution of the variables measured, but also demonstrate the impact of different initiatives, guiding future efforts to optimize their effectiveness.
The document emphasizes the need for a comprehensive dashboard that presents specialized views for different stakeholders, allowing for continuous monitoring and reporting on project progress.
Finally, it highlights the importance of a methodology based on effective measurement, combining different domains, services and technologies to facilitate continuous improvement in the cybersecurity awareness process.
The project aims to address the evolving challenge of human cyber risk management and cybersecurity awareness by integrating specialized services, leveraging data, and using advanced technologies such as AI to tailor training and measure employee responses effectively. The study highlights the importance of segmented awareness-raising actions, personalized training, and the involvement of various departments to ensure the success of the project.
In the following video of just over 1 minute, our CEO Fernando Mateus, summarizes some of Kymatío’s most demanded services and how they help organizations comply with regulations and employees increase the level of security alert.
Remember that Kymatio® is the all-in-one employee cyber risk management, information security awareness and credential exposure risk management solution, rely on the most advanced solution on the market to minimize risks.
