cyberconIQ: A Deep Dive – Part 2: Proven
December 1, 2022 | By: Jonathan Care
In Part 1 of Examining cyberconIQ, cyberconIQ claimed to have a more effective way to train employees how to handle social engineering attacks.
Select companies reported a significant improvement in the handling of phishing emails. But are these cherry-picked results, or is a significant gain in cybersecurity awareness and improved online behaviors typical after introducing the patented myQ Stylizer and training?
In Part 2, we examine the evidence to see if cyberconIQ’s anti-social-engineering measures and how effective they are.
Presenting the Evidence of Effectiveness Against Phishing Emails
The Chief Information Security Officer (CISO) of your typical organization understands the frustration when successful phishing and spear phishing attacks penetrate the company’s carefully planned defenses.
It’s tempting to blame such breaches on ‘unteachability’ among the workforce. And initiatives like cyberconIQ’s training and software might be seen as a last-ditch effort before suggesting radical, possibly destructive changes in the corporate makeup and culture.
But there’s a tool that cyberconIQ brings to the table, and it’s able to prove beyond a shadow of a doubt that most workforces aren’t unteachable. That tool is called the cybermetrIQs Cyber Risk Dashboard.
There’s a statistic in the dashboard called Imputed Cost per Breach that compares a company’s preparedness level to typical costs of data breaches around the world. It’s an apples-to-apples comparison, only selecting similarly sized companies in any given vertical. Because it’s an average of averages, it’s a rough metric. But it’s still infinitely useful for tracking the impact of social engineering training and other cybersecurity measures.
This metric has shown CISOs, almost universally, that their employees are teachable. As team leaders and team members become more adept at quickly detecting phishing emails that slip through automated systems, breaches are stopped before they can get significant access and build up a head of steam. When combined with defense in depth, continued training, and proper data access procedures, the Imputed Cost per Breach continues to fall when compared to other similarly sized companies.
Case Study – Wesdome Gold Mines
While the Wesdome Gold Mines case study isn’t overly detailed, the result can be boiled down to a single deciding factor: Superior monitoring.
CISOs and IT Directors often have no way of effectively measuring ‘soft’ defenses. Most cybersecurity training and testing only gives the most surface level snapshot of how prepared employees really are for a focused spear phishing email campaign.
Wesdome’s Director of IT Operations, Marc Leckman, cited cybermetrIQ’s Risk Dashboard and myQ Stylizer as game changers. They saw rapid improvement in both employee knowledge retention and the security team’s understanding of the social engineering landscape.
Case Study – Renova Health
The Renova Health case study is far more interesting for sceptics, because there’s a neutral metric involved: Compliance requirements.
When cybersecurity courses (and in particular email phishing education courses) don’t meet regulatory standards, there’s trouble on the horizon. Failing to meet standards the second time around can mean dropping important certifications, losing government contracts, and losing the respect and trust of current clients.
In Renova Health’s case, the other cybersecurity courses weren’t even meeting internal company standards. That wasn’t a very comfortable position to be in. Luckily, not only did they see drastic improvement on the employee education side of the coin, cyberconIQ’s Account Team helped them to meet all of their monitoring and internal documentation standards.
Employee feedback was positive. Auditors were happy. HR’s compliance team was relieved. All because the unIQue Cyber Awareness Platform was able to effectively measure education progress and company-wide cybersecurity status.
Proof Over Time
Perhaps the most important measure of proof is what happens months or years after the inception of a cybersecurity education program. Because many of these programs can’t effectively measure their impact over time, their long-term effectiveness is a mystery.
That isn’t the case with cyberconIQ. By tracking the figures over a wide array of clients, they can prove a 92% drop in actual financial losses related to human-factor related cybersecurity breaches. And because of their training philosophy, those gains are held over the long term.
They treat cybersecurity training as a process. This means there shouldn’t be drastic spikes and dips in awareness as annual security courses are executed. Instead, periodic engagement combined with positive reinforcement serves as both an incentive to remain alert and a way to get constant feedback from clients. This lets them fine-tune their processes and implement more effective follow up tools and live testing scenarios.
Is There Tech Behind the Philosophy?
So cyberconIQ’s education and soft approaches have been proven effective in scenarios across many industries. But that doesn’t speak to ease of implementation or the robustness of their software systems.
So we’ll examine those aspects in our next and final instalment: cyberconIQ – Protection. This will be a nuts-and-bolts examination of the software that provides defense in depth. Only after picking apart the analysis, monitoring, and reporting systems can we see how much effort cyberconIQ takes to implement, and if the opportunity cost is worth the protection against social engineering that they provide.