How to improve your company’s cybersecurity training
Amongst the many things that have been impacted by COVID-19, workplace training programs, especially cyber security training, is probably one that has fallen off the radar. Understandably, many businesses have been focused on training and preparedness programs to help their employees and clients navigate the adoption of new technologies and processes whilst working remotely.
Learning about online security and mitigating threats from the rising number of phishing and man-in-the-middle attacks is something that is typically handled by an organisation’s IT department, which is challenging to execute while most companies are working fully remote.
Despite the environment we are working in, there are three things an organisation can do to improve the value of their cybersecurity training for their business and staff.
Remote work can distance employees from essential security training staff and the messages they bring. Simply issuing digital content and telling staff “watch this video to complete your training” does not replace impactful face-to-face or virtual interactions with the organisation’s security experts. Ensuring that the cyber safety training is properly resourced is important, especially as more people are working from home and may be using their personal devices for work purposes.
It is more effective if the training program has the proper number of experts running the program to ensure high quality training, that is tailored to the teams or individuals receiving the training. If an organisation approaches security training with a “check the box” mentality, without emphasising the quality of the actual material, then it is most likely the effectiveness of the training will fall short.
In an ideal world, this shift to remote work will be the catalyst organisations need to embrace a more tailored security awareness training approach that accounts for an employee’s job, location, access, experience level, and other demographic characteristics. When we return to a more normal workplace life, hopefully this mindset sticks and organisations will be in a better position to continue to adapt and improve our security awareness programs.
One size does not fit all
When it comes to security training, it is best to customise the material for the employees – there is no one approach that will be relevant for every team. While opportunistic cybercriminals tend to target as many people as possible, employees such as senior managers, HR and IT administrators are more appealing targets because these groups of employees have access to the type of confidential data and secure information that can be compromised and has the most value or potential for disruption. As hackers and scammers target their potential victims in different ways, it is imperative that any cyber training takes this into account and prepares its cyber training programs accordingly.
In addition to factoring the different types of attacks, workshops or lessons should consider what is most relevant to the team or department receiving the training because what is essential information to your legal or IT teams, may not be impactful knowledge for your marketing or administration staff.
When mapping out your training program do not forget to include KPI’s and measurements so that you can monitor the success of the employee cybersecurity training. As online risks and threats continue to evolve, so should your program. Having training outcome metrics will be useful when assessing any failures or areas of improvement and will ultimately help attain your security training goals.
Taking the pressure off employees
Similar to health or road safety campaigns, prevention is the best approach but this is not an easy task when you’re managing a large number of employees. One way of reducing the risk of human error is to create cybersecurity processes that are simple and do not burden your employees with numerous options. This could include the IT team setting up employee’s accounts with strong passwords during onboarding.
While IT teams should assist employees with proper password management, two-factor authentication (2FA) should also be leveraged company-wide. 2FA is when a user is required to provide their username and password, including something additional, like a one-time code or security key. When using a security key, users tap the key when prompted, proving that they are present at the device and should rightfully gain access, rather than it being a remote hacker. When conducting a company’s security training, 2FA should absolutely be included in the material.
Simplifying the 2FA options and setting clear expectations of which ones to use is not only beneficial but also less complicated for employees. If all businesses could implement strong security practices and also deliver effective cybersecurity training to their team, then the organisation can successfully prevent company breaches and will ultimately benefit as a whole.
Geoff Schomburgk is vice president, Australia & New Zealand, at authentication and security key specialist Yubico. He has over 25 years experience in the global Information & Communications Technology (ICT) industry.
Chinese Firm Taigusys Launches Emotion-Recognition System
In a detailed investigative report, the Guardian reported that Chinese tech company Taigusys can now monitor facial expressions. The company claims that it can track fake smiles, chart genuine emotions, and help police curtail security threats. ‘Ordinary people here in China aren’t happy about this technology, but they have no choice. If the police say there have to be cameras in a community, people will just have to live with it’, said Chen Wei, company founder and chairman. ‘There’s always that demand, and we’re here to fulfil it’.
Who Will Use the Data?
As of right now, the emotion-recognition market is supposed to be worth US$36bn by 2023—which hints at rapid global adoption. Taigusys counts Huawei, China Mobile, China Unicom, and PetroChina among its 36 clients, but none of them has yet revealed if they’ve purchased the new AI. In addition, Taigusys will likely implement the technology in Chinese prisons, schools, and nursing homes.
It’s not likely that emotion-recognition AI will stay within the realm of private enterprise. President Xi Jinping has promoted ‘positive energy’ among citizens and intimated that negative expressions are no good for a healthy society. If the Chinese central government continues to gain control over private companies’ tech data, national officials could use emotional data for ideological purposes—and target ‘unhappy’ or ‘suspicious’ citizens.
How Does It Work?
Taigusys’s AI will track facial muscle movements, body motions, and other biometric data to infer how a person is feeling, collecting massive amounts of personal data for machine learning purposes. If an individual displays too much negative emotion, the platform can recommend him or her for what’s termed ‘emotional support’—and what may end up being much worse.
Can We Really Detect Human Emotions?
This is still up for debate, but many critics say no. Psychologists still debate whether human emotions can be separated into basic emotions such as fear, joy, and surprise across cultures or whether something more complex is at stake. Many claim that AI emotion-reading technology is not only unethical but inaccurate since facial expressions don’t necessarily indicate someone’s true emotional state.
In addition, Taigusys’s facial tracking system could promote racial bias. One of the company’s systems classes faces as ‘yellow, white, or black’; another distinguishes between Uyghur and Han Chinese; and sometimes, the technology picks up certain ethnic features better than others.
Is China the Only One?
Not a chance. Other countries have also tried to decode and use emotions. In 2007, the U.S. Transportation Security Administration (TSA) launched a heavily contested training programme (SPOT) that taught airport personnel to monitor passengers for signs of stress, deception, and fear. But China as a nation rarely discusses bias, and as a result, its AI-based discrimination could be more dangerous.
‘That Chinese conceptions of race are going to be built into technology and exported to other parts of the world is troubling, particularly since there isn’t the kind of critical discourse [about racism and ethnicity in China] that we’re having in the United States’, said Shazeda Ahmed, an AI researcher at New York University (NYU).
Taigusys’s founder points out, on the other hand, that its system can help prevent tragic violence, citing a 2020 stabbing of 41 people in Guangxi Province. Yet top academics remain unconvinced. As Sandra Wachter, associate professor and senior research fellow at the University of Oxford’s Internet Institute, said: ‘[If this continues], we will see a clash with fundamental human rights, such as free expression and the right to privacy’.