Worried that your managers aren’t taking cybersecurity seriously? Here’s a novel way to get them to sit up and take notice.
Businesses continue to take huge risks by skimping on cybersecurity. And that’s not surprising, because people in charge don’t always appreciate what’s at stake.
But there is a novel way to change that – ask them to stop a simulated cyber-attack.
That’s the premise behind a new “Interactive Protection Simulation” created by cybersecurity company Kaspersky.
Also known as KIPS, the simulation, which works a bit like a digital board game, puts teams in charge of cybersecurity for fictitious companies earning $200,000 in monthly revenue.
Each team is given a $250,000 budget and limited time to respond to cybersecurity incidents. After each round, players learn whether they protected their company’s revenue or caused more problems. The team with the most revenue after five rounds is the winner.
The game brings cybersecurity spending into sharp focus. Players aren’t required to look at security logs or configure firewalls, but they do have to decide if and how to spend money.
For example, they may need to choose whether to spend $10,000 on defences to stop Distributed Denial of Service attacks, or use the money to fund penetration testing.
Players that try to save money by skipping important cybersecurity tasks will quickly regret that approach. For example, if they don’t patch systems they may find themselves dealing with problems requiring expensive fixes.
They’ll also learn that cybersecurity is about much more than installing software on servers and user devices. Over the course of the game, players may need to do everything from install web application firewalls to patch servers and train employees.
And they’ll learn about the importance of extending cybersecurity to cover dealings with third parties. Even bank transactions could expose players to attacks by other parties.
There aren’t always obvious solutions to the threats players encounter. For example, payments to suppliers may mysteriously go missing. Should players first perform security checks on employees, or analyse the hard drive of the treasurer’s PC?
And money isn’t the only resource players need to think about. Routine tasks such as changing passwords and reviewing accounts are cheap, but eat up limited time.
To make the simulated scenarios more relevant to players, Kaspersky offers different versions of the game for different industries. For example, the “corporate” version puts players in charge of a company that has regional sales managers, a shipping department and a web site for B2B orders. Another version involves an oil or gas company that has industrial sites.
Each version of the game also throws different types of attacks at players. For instance, people playing the corporate version might be more likely to encounter ransomware, whereas those playing the version for power and water companies might face Stuxnet-type attacks.
The game was designed to address a disconnect in many companies when it comes to cybersecurity, stated Margrith Appleby, General Manager of Kaspersky ANZ.
“It all comes down to a people issue,” Appleby stated. “One of the biggest security challenges we see is different perspectives of cybersecurity and the potential impacts and relevance based on differing senior management roles, their responsibilities and individual accountability in a business.”
Of course, it’s not only executives who might not be cybersecurity-aware. Business system experts, IT people and line managers can also contribute to poor cybersecurity culture. Cybersecurity incidents can occur due to employees’ carelessness, or because employees are too scared to report mistakes to managers.
Companies often exacerbate this problem by overlooking cybersecurity training, so Kaspersky recommends they get people who work in the roles mentioned above to play its simulation. And Kaspersky’s website provides information about additional Security Awareness Training services.
Ultimately, having more people understand these issues will only benefit businesses and their customers.