Learn about the latest cyber threats, ransomware defense, and NINJIO’s innovative training approach.
Shaun, could you please introduce yourself and elaborate your role as a CEO of NINJIO?
I’m Shaun McAlmont, CEO of NINJIO Cybersecurity Awareness Training. I came to NINJIO after decades leading organizations in higher education and workforce development, so my specialty is in building solutions that get people to truly learn.
Our vision at NINJIO is to make everyone unhackable, and I lead an inspiring team that approaches cybersecurity awareness training as a real opportunity to reduce organizations’ human-based cyber risk through technology and educational methodologies that really change behavior.
Can you share insights into the most underestimated or lesser-known cyber threats that organisations should be aware of?
The generative AI boom we’re experiencing now is a watershed moment for the threat landscape. I think IT leaders have a grasp of the technology but aren’t fully considering how that technology will be used by hackers to get better at manipulating people in social engineering attacks. Despite the safeguards the owners of large language models are implementing, bad actors can now write more convincing phishing emails at a massive scale. They can deepfake audio messages to bypass existing security protocols. Or they can feed a few pages of publicly available information from a company’s website and a few LinkedIn profiles into an LLM and create an extremely effective spearphishing campaign.
These aren’t necessarily new or lesser-known attack vectors in cybersecurity. But they are completely unprecedented in how well hackers can pull them off now that they’re empowered with generative AI.
With the rise of ransomware attacks, what steps can organisations take to better prepare for and mitigate the risks associated with these threats?
The first and biggest step to mitigating that risk is making sure that everyone in an organization is aware of it and can spot an attack when they see one. It took a ten-minute phone call for a hacking collective to breach MGM in a ransomware attack that the company estimates will cost it over $100 million in lost profits. Every person at an organization with access to a computer needs to be well trained to spot potential threats and be diligent at confirming the validity of their interactions, especially if they don’t personally know the individual with whom they’re supposedly speaking. The organizational cybersecurity culture needs to extend from top to bottom.
Building that overarching cultural change requires constant vigilance, a highly engaging program, and an end-to-end methodological approach that meets learners where they are and connects the theoretical to the real world.
How does NINJIO’s cybersecurity awareness training approach differ from traditional training methods, and what are the primary benefits for organisations that adopt it?
Traditional workforce training is often an annual, one-size-fits-all hours long presentation or video that was designed to check a box for legal compliance or insurance requirements. It wasn’t designed with a sound educational methodology for the average user in mind. And everyone hates it as a waste of time.
NINJIO is completely different because it is so engaging.. We rely on a monthly cadence of short-form video episodes and follow up reminders that takes no more than 7 minutes total to complete. Every episode is relevant because they’re based off of real-life hacks and the reminders deliver the key takeaways in a varied but repetitive way to aid in learning retention.
Paired with our simulated phishing solution, we’re even able personalize content delivery based on an individual’s unique emotional susceptibilities to boost their self-awareness and provide a tailored learning experience. End users actually watch their trainings because we make them engaging. That engagement feeds a base level of vigilance against cyber threats.
What are the most common employee-related cybersecurity vulnerabilities, and how can NINJIO’s training help address these vulnerabilities effectively?
The most common is social engineering. The vast majority of successful breaches – 74% – involve a human element where someone was tricked into making a mistake that allowed a bad actor to access an organization’s system.
Social engineering is about manipulating people’s emotional vulnerabilities so they do something they otherwise wouldn’t. Those vulnerabilities, which we’ve identified as urgency, obedience, fear, opportunity, greed, sociableness, and curiosity, underpin every single social engineering attack.
NINJIO’s solution uses simulated phishing to build a risk profile for each user and then deploys our NINJIO SENSE training content based on that profile so they receive the educational content that is most pertinent to their needs. Every person is susceptible to different techniques in social engineering, so we identify which are most likely to work and help users overcome them.
Could you highlight some best practices for developing a robust cybersecurity posture?
Implement a robust cybersecurity awareness training program. In a world where three quarters of all successful breaches happen due to human error, there is no technological strategy that will offer comprehensive cyber protection for an organization. You have got to train your users because they are the front line.
Make cybersecurity an organizational priority. I can’t stress enough how important leadership is to cybersecurity posture. It cannot be a topic that gets delegated downward on your organizational chart – every single person in an organization, and especially the CEO and other executives, has to be committed to following protocols and staying aware for any cybersecurity effort to work.
Require cybersecurity in your supply chain. Your company works with dozens, if not hundreds, of vendors who have access to your information and maybe your customers’ information. Require that they have cybersecurity controls implemented so you aren’t exposed to third party risk.
How can organisations assess and manage the cybersecurity risks associated with their third-party vendors and supply chain partners?
Much of this happens when organizations are preparing contracts and agreements. Consider the following:
- Require that partners or vendors have implemented a cybersecurity awareness training program so you know their employees are up to date on cyber threats.
- Implement mandatory cyber incident reporting so you’re able to judge your exposure.
- Set up secure information sharing mechanisms that keep sensitive assets secured.
Could you explain the importance of complying with cybersecurity regulations, and how can companies ensure they remain compliant in an ever-changing regulatory landscape?
Failure to comply with cybersecurity regulations brings incredible risk, including regulatory action, significant financial loss, and reputational ruin. Many cybersecurity regulations don’t even require observing what the industry has already established as best practices for basic protection, so meeting regulatory compliance requirements is something any organization should do automatically if it takes its cybersecurity seriously.
And the importance of remaining compliant extends to every company. Any enterprise with a computer system is vulnerable – even those who specialize in cyber protection. Breaches have affected every industry, from startups to corporate institutions.
Remaining compliant requires that organizations dedicate a role to cybersecurity in their organizational chart or hire a consultant whose job it is to raise concerns and keep the organization aware of risks, whether from cyber threats or from falling out of compliance.
Dr. Shaun McAlmont
CEO at NINJIO Cybersecurity Awareness Training
Dr. Shaun McAlmont is CEO of NINJIO Cybersecurity Awareness Training and one of the nation’s leading education and training executives. Prior to NINJIO, he served as President of Career and Workforce Training at Stride, Inc., had a decade-long tenure at Lincoln Educational Services, where he was President and CEO, and served as CEO of Neumont College of Computer Science. His workforce and ed tech experience is supported by early student development roles at Stanford and Brigham Young Universities. He is a former NCAA and international athlete and serves on the BorgWarner and Lee Enterprises boards of directors. He earned his doctoral degree in higher education, with distinction, from the University of Pennsylvania, a master’s degree from the University of San Francisco, and his bachelor’s degree from BYU.