Terra Terranova Security builds the cybersecurity industry’s highest-quality training content, and they organize the annual Gone Phishing Tournament to help companies benchmark and improve their security. Their CEO, Theo Zafirakos, joined Vanguard Radio’s J. Richard Jones to discuss what he sees as the optimal approach to ensuring data security — and it has nothing to do with technology. 

Q: You talk a lot about a “secure-aware culture.” What does that mean? 

It’s where we start talking about individual attitudes, perceptions and about cyber threats and cybersecurity practices, and how those three elements influence their behaviors when it comes to cybersecurity. In an unaware culture, someone might say something like “what’s the harm of sharing my password with a colleague I trust?” Or they may think something like “cyber security isn’t my problem because IT put technology in place.”  

These speak to a bigger issue: a knowledge gap in understanding cybersecurity threats, how they work and how they can be stopped. And this gap is societal. How many parents talk to their kids about cybersecurity? How many students learn about cybersecurity in school? How well does government really educate citizens? We know the answers, and the result is a workforce that lacks a security mindset. So, the responsibility falls on organizations to start building security into the culture — and it’s critical because security products by themselves can’t guarantee security. Why? Because those products are implemented and used by human beings, and no cybersecurity incident has ever occurred without a human attacker or threat actor involved. 

Q: What would you say is one of the biggest challenges to building a security-aware culture? 

Well, the biggest challenge is setting the tone at the top with established policies and communicating the importance of them being followed down through the organization, as if they’re conditions of employment.  

We find organizations that build security awareness into their culture without addressing the top are more susceptible to challenges down the road because the stick approach (“we have this program in place, it’s mandatory, go do the training”) won’t work. It’s unmotivating and behaviour change is all about motivation. There’s a first level of motivation which is about completing the training. But the second level of motivation is applying the learnings at the right moments. That’s the most important part of cybersecurity. But neither will happen for a company that deploys training programs and publishes content nobody wants to consume. So, if you don’t build this mindset among your staff, nobody’s going to use the resources you put in place. 

We’ve also seen challenges around organizations that assign the responsibility of creating this culture to IT staff who are not behavior change specialists. When we’re talking about awareness and training, we’re talking about changing behavior in adults who are often set in their ways. A properly implemented awareness program requires a multidisciplinary team of participants from HR and change management, marketing, operations, and IT. 

Q: Can you give us some examples of what an organization can do to create awareness of cybersecurity issues?  

Organizations that succeed consider what motivates their people. And they understand that motivations come in many forms. They think about what would motivate and encourage their people to participate. And it doesn’t have to be monetary, right? Recognition from managers can be a motivator. “Thank you for completing this and for doing the right thing” could go a long way.  

Another motivator is an opportunity to be part of the build. Survey people at the beginning, ask them what they want to learn about then build a program based on what they’re interested in learning.  

We also find that making cybersecurity personal is an effective motivator because what people learn through this content extends past the work environment: everybody has a personal email address too. So, part of building a successful secure-aware culture is to get them to talk about cybersecurity outside the workplace. One great example is material they can share with their kids to help them be safe online when they’re playing video games, posting to their social media, or buying things online. 

Another effective strategy we have seen is establishing cybersecurity ambassadors, people across the company to officially represent cybersecurity, promote awareness activities and communicate with IT. A factory worker faces different threats and challenges than an office worker, and the IT team will work better if they know what matters. 

Q: What about the hiring or onboarding process? Has there been change there? 

We’ve seen a lot of organizations targeting the new hires to establish security awareness from the very beginning. When new hires see their organization as taking cybersecurity seriously, they will adopt that mindset from the beginning. They’ll want to do the right thing to impress their new leaders, so they’ll be easier to influence. 

Q: How do you spot a security-aware cultural shift in business? When do you know it’s working? 

When people aren’t afraid to ask questions if they don’t know how to do something. Instead of going ahead with something that may or may not be dangerous, they’ll seek guidance. In this environment, they’re also not afraid to raise their hand if they’ve done something wrong. “Oh, oops, I sent this file by mistake. I can’t retrieve it. Can we please get an action on board, so we could recover that information and prevent the damages from causing too much harm?” They’re not afraid because of the consequences. They’ll raise their hand. And they’ll take initiative. They won’t ignore something unsafe. If they walk by a printer and see a confidential document sitting in it, they shred it or find its owner.  

Also, they socialize best practices among themselves. When they see a peer sharing their password or adopting an insecure behavior, they will politely explain what’s being done incorrectly and how to do it better. Then this cybersecurity culture becomes infectious and starts spreading within the organization.  

Ultimately, in an organization with a security-aware culture, you see people step up any and every way when it comes to cybersecurity. That includes adopting new practices and changing their behaviour. 

Q: Speaking of stepping up, do you have any stats or insights from the 2022 Gone Phishing Tournament?  

At 2022’s event, we were trying to harvest passwords with the promise of a $25 gift card. We asked, were users willing to click on a link? And once they click on a link, were they willing to share their password on a non-secure website? And we noticed that about 7% of the recipients clicked on the link because they don’t think any harm could happen from clicking on a link, which is not true. About 7% of the recipients clicked on the link we sent, which then sent them to a one-question survey question and a prompt to log in with a username and password. About half of those who clicked on the link went ahead and submitted their password on our website that was not secured. It didn’t have HTTPS, it didn’t have a padlock. In many cases, the browser might even flash red and say, “Well, this site is not secure.” But a $25 gift card was all it took. 

Q: It’s clear there’s room for improvement. I think there’s also room for improvement in third-party risk management. Why should an organization be concerned about third-party risk management? 

We see often in the news, and recently with organizations being compromised through their direct partners or the greater supply chain because they all have access to the same systems, data, and networks. And let’s not forget that those third parties may be dealing with fourth parties and fifth parties. 

Imagine you’re working for an organization, and you see an email from your supplier. You’ve been trained to check for email domains and sender domains, and they look accurate. They look what you expect them to be. But how do you know now that on the other end, this email has been compromised by an attacker and it’s being controlled by an attacker?  

So, this is why we have to rely on securing third parties to make sure that the whole supply chain is secure from the very beginning. We have to demand it. 

Would you like to listen to this interview in audio form? Be sure to check out our complete podcast catalogue at https://vanguardcanada.com/category/podcast/ or search for us on Spotify.