Lari Luoma has over 20 years of experience working in the fields of security and networking. For the last 11 years, he has worked with Check Point Professional Services as a security consultant, helping customers worldwide implement the best-in-class cyber security. He is a subject matter expert in hyper-scalable security solutions.
Make this year’s Cyber Security Awareness Month meaningful. In this informative interview, Check Point expert Lari Luoma deftly explains how your organization can make the most of this month. He shares insights that are practical, actionable, and that highlight the real-world consequences of inadequate cyber security awareness.
Would you be able to illustrate the importance of cyber security awareness programming?
A lot of big hacks that happen today (most recently MGM in Las Vegas) occur because people don’t understand that they cannot simply give information to anyone who asks. If a “CEO” calls the help desk, the lowest level help desk worker should always verify that the caller is who they say they are. People also share too much information on social media that hackers can steal and use.
Humans are the weakest links in security. It is very important to spread the awareness and to help organizations understand that cyber security is for everyone. Each employee should adhere to secure practices. Every month should be cyber security awareness month.
Do you have recommendations in terms of easy-to-execute cyber security awareness programing for employees?
Train employees and partners to understand the dangers of social engineering. Share insights into how to use social media safely and how to keep information secure.
What metrics or key performance indicators (KPIs) should organizations track during Cyber Security Awareness Month to measure the effectiveness of awareness efforts?
Incident rates and reporting. Encourage people to report anything suspicious with a low threshold and monitor if you are getting more reports.
What kind of roles would you like to see senior corporate leaders play in increasing cyber security awareness?
When we ask “what C-level executives should do,” the answer is everything. Senior leadership has the responsibility of setting a secure culture. Leaders should set clear expectations and standards for cyber security practices, establish policies and procedures and assign roles and responsibilities.
They should also build an organizational culture that makes it easy to report incidents and mistakes. You can greatly reduce the risk of falling a victim of a cyber attack if…
- People stop clicking links they are not 100% sure about.
- People stop giving any information about the organization they work for to anyone whose identity they cannot confirm and/or they are not sure they have right to know the answer.
- This can mean something so trivial as what time the garbage is collected or what time the company bus leaves.
- Hackers use all of these small pieces of information to create a story about the organization that they will use in attacks. They can pretend to be a garbage collection company that wants to change collection times and needs to speak with N.N.
- People feel comfortable reporting all suspicious activity without fear of getting fired or judged.
Thoughts on cyber security resilience, current resilience efforts and what else needs to be done on an organization-wide level?
1. Have up-to-date backups of critical systems and store backups in an isolated environment.
2. Practice how to restore your systems in the event of a disruptive cyber incident.
3. Train your employees and request the same level of cyber security awareness from partners.
Are there any emerging cyber threats or trends that you anticipate will become particularly prominent in 2024?
AI generated phishing will become more sophisticated and more difficult to spot. It’s not only the e-mails and text messages, but also deep fake videos can be used as phishing tools. I also believe that different kinds of extortion attacks will continue to rise in 2024.
Is there anything else that you would like to share with the CyberTalk.org audience?
Humans are the easiest vulnerability to exploit. Cyber security awareness should be part of any customer service training. In certain industries and contexts, it is not bad service to have your employees ask customers for an ID or other type of verification.
To prove my point here, I was traveling last week and one night around 9pm, a man and a woman walk into my hotel room with their own key card. I responded with much alarm and they said that the front desk gave them this room. I don’t know if this was true or not, but it was definitely scary. This kind of thing happens with frightening regularity. There are numerous news stories about hotel front desk staff handing out room keys without verifying guest identities and reservations.
The key takeaway here is that human vulnerabilities are easy to exploit and that cyber security training is a necessary security measure. This anecdote also shines a spotlight on the real-world consequences of lax cyber security protocols.