Artificial intelligence (AI)-enabled threats are cascading into all aspects of our lives. As all eyes turned to GPT-4’s first anniversary on March 14th, 2023 it’s clear that AI-powered assaults are quickly becoming one of the most predominant issues on the planet.
Whether it’s sophisticated phishing emails or social engineering attacks like deepfake videos, the National Cyber Security Centre has warned that the use of AI for malicious purposes will define the threat landscape this year, with such technologies enabling relatively unskilled threat actors to carry out more effective access and information-gathering operations than ever before.
As AI-enabled attacks intensify, research suggests that both organizations and their employees are failing to keep pace to defend against the sophistication and volume of attacks. Yet, the dangers of unprepared employees are clear. According to Imperva’s report, “Forrester Insider Threats Drive Data Protection Improvements,” over one-half of incidents that negatively impact sensitive data are caused by human error.
As a result, our recent research highlighted that nearly one-quarter (27%) of human resources (HR) leaders within British tech companies believe cybersecurity is the digital skill most lacking within their organization.
Encouragingly, most companies (83%) plan to spend more than £25,000 ($31,302 in U.S. dollars) in the next 12 months to fill crucial roles with cybersecurity top of the priority list. However, the crisis of widening skills gaps is not one that companies can hire their way out of. Looking ahead, it’s clear that organizations have a vital role to play in educating staff on the risks intense AI-enabled attacks increasingly pose.
But what should best practices for maintaining a cyber-secure business look like — particularly with resources and security talent scarce? Here are five key considerations for building an impactful internal security training program in the era of AI-enabled cyberattacks.
No. 1: Determine Key Stakeholders to Drive the Program Forward
Starting an internal security training program should begin with designating someone to take charge. Ideally, the leadership of your program should be a collaborative effort between information technology (IT) and HR teams. IT specialists can bring technical knowledge and expertise, ensuring content relevance and appropriate complexity, while HR professionals can lend their skills in learning and development (L&D), as well as program design and evaluation — which can shape the delivery and effectiveness of the training.
However, given the complexities of the threat landscape today, assembling an IT training program must be a cross-functional effort. Involve leadership in the program to ensure it aligns with company goals and strategic direction and employees from a variety of roles to gain a diverse perspective, ensuring the program is beneficial to end-users.
No. 2: Ensuring the Program Aligns with Unique Organizational Needs
The next key step is to assess your organization’s current AI defensive needs and skills gaps against future security concerns. Engaging in dialogue amongst all stakeholders, including leadership, employees and IT specialists, can give organizations a comprehensive understanding of their unique security landscape.
Next, focus on the relevancy, variety and flexibility of available high-quality learning content when building the program. This approach can guarantee the learning content addresses current cybersecurity trends as well as your organization’s specific security requirements while also anticipating future needs.
No. 3: Harnessing a Blended Learning Approach to Maximize Impact
A blended learning approach is important. After all, your L&D program must cater to a variety of learning needs and paces, so a combination of theoretical learning and hands-on practice can provide staff with robust and thorough training.
Your program should therefore integrate a mix of learning methods such as eLearning, webinars, workshops and one-on-one mentorship. Self-paced e-learning modules, for example, will allow for flexibility while scheduled sessions offer real-time interaction and guidance. At the same time, workshops, mentoring and on-the-job practice will offer more opportunities for experiential learning.
Any cybersecurity training program should include real-world AI-driven attack scenarios and simulations. For example, security professionals are highly familiar with gamification strategies like “Capture The Flag” exercises, which also could be a successful learning tool for non-security folks. Ultimately, this mix will make the training accessible, engaging and inclusive for all designated participants.
No. 4: Measuring Success Through Data and Insights
Once up and running, you can gauge the effectiveness with continuous monitoring and evaluation to make refinements where needed. Success for your training program can be gauged through various methods, such as technical assessments or badging to verify the development of skills. At the same time, you should conduct regular feedback surveys to assess employee satisfaction. For the long term, you should also measure changes in performance metrics post training, as well as the reduction in IT-related errors or increased productivity in assigned tasks. This combination can enable you to improve the program in real time and meet your employees’ dynamic learning needs.
Looking Ahead
With the risks posed by AI proving to be seemingly limitless, it’s critical that business leaders invest in their workforce’s development to bolster cybersecurity defenses and protect business assets. IT and HR leaders should drive these efforts, since the combination of their indispensable expertise can maximize effectiveness.
They must also spend time pinpointing a diverse range of employees to drive their security training program forward, as well as identify the company’s unique operational needs to ensure training is tailored and highly relevant. AI-enabled cyberattacks show no signs of slowing down, but with increased collaboration between IT and HR teams, they can create a highly-skilled workforce in a secure and protected work environment.
