$1M grant kick-starts cyber research at Texas A&M-San Antonio

Texas A&M University-San Antonio will advance cyber research through a newly established Cyber Engineering Technology/Cyber Security Research Center with a $1 million grant from The Texas A&M University System Chancellor’s Research Initiative (CRI). The center will be housed in the Department of Computing and Cyber Security within the College of Business.

Some of the major research areas to be investigated at the center include security and privacy in the internet of things and cloud computing, secure vehicle-to-vehicle communications and cyber-physical systems. The grant will also be used to enhance research collaborations with local and regional research institutions.

Chancellor John Sharp created the Chancellor’s Research Initiative in 2013 for Texas A&M University and Prairie View A&M University to hire highly qualified professors who would impact the academic and research missions of those schools. Two years later, he expanded it to the rest of the A&M System.

“It is through research that the Texas A&M System can tackle global problems,” said Sharp. “I am proud that A&M-San Antonio will be involved in the critical field of cybersecurity.”

“This grant takes A&M-San Antonio to the next level of research,” said Dr. Cynthia Teniente-Matson, president of A&M-San Antonio. “We anticipate the A&M University System will see a great return on its investment in cybersecurity here in San Antonio, as well as contribute to advancing research related to the advancing science of the effectiveness for the internet of things.”

The grant will be shared with the Texas A&M Engineering Experiment Station (TEES), which will receive about a third of the money.

“The Texas A&M System is dedicated to protecting against cyberattacks of government, businesses and individuals,” said Dr. M. Katherine Banks, vice chancellor and dean of engineering and national laboratories and TEES director. “TEES and Texas A&M have built strong academic and research programs in cybersecurity, and this new grant will allow us to leverage our activities with those at A&M-San Antonio for increased impact.”

“The Cyber Engineering Technology/Cyber Security Research Center will develop foundational research infrastructure with cutting-edge technology and equipment to facilitate research in various areas and provide campus-wide infrastructure and resources for faculty and student research,” said Dr. Akhtar Lodgher, chair of the Department of Computing and Cyber Security. A portion of the grant will support existing degree programs at A&M-San Antonio, such as Cyber Engineering Technology, as well as future graduate programs. Dr. Smriti Bhatt and Dr. Lo’ai Tawalbeh, under the supervision of Dr. Lodgher, submitted the winning proposal.


RSAC 2020 Keynote: Changing the World’s False Perception of Cybersecurity

The reality of the cybersecurity industry is starkly different than what’s perceived by the rest of the world.

SAN FRANCISCO – Today, cybersecurity is portrayed in the media and by businesses as an ongoing complex conflict between defenders and cybercriminals, with heightened noise around hyper-technical proof-of-concept attacks, or nation state threats. But, the reality is starkly different, said Rohit Ghai, president of RSA, speaking on Tuesday at the RSA Conference.

The security industry needs to branch out beyond its historically “narrow culture” and change how it is perceived by the rest of the world. The narrative around cybersecurity needs to instead emphasize the human players behind cybersecurity, including the IT teams working in companies, the cybercriminals who are launching cyberattacks, the businesses who are working with security teams – and, importantly, the end users who are often the true victims.

“We are only as good as the story we leave behind,” he said. “The story we want is a business story of cyber resilience, not a technical story of cyber ping pong. The struggle that we often see in these types of stories engenders pity and fear, but it’s not one of the defender, but one of the protected.”

Often, hackers are portrayed as “technical sorcerers” while defenders are “hapless techies focused on zero-day vulnerabilities and only the most advanced threat vectors,” Ghai said. In reality, that’s not true, he said.

Cybercriminals are not always sophisticated, and in fact, more script kiddies exist than technically savvy hackers, said Ghai. The difference is that cybercriminals are more organized and create tools and exploit kits that allow less sophisticated actors to become well equipped in launching attacks.

Meanwhile, defenders are often grappling with burnout stemming from an industry plagued by a talent gap, complexity and noise. Instead of preventing sophisticated attacks, defenders are more often spending their time trying to block against ordinary phishing and business email compromise (BEC) scams, said Ghai.

To hit back against this difference with reality, the security landscape needs to change the narrative of its story, he said. “We need to reclaim our narrative, reorganize our defense, and rethink our culture.”

Ghai asserts that the cybersecurity landscape needs to better engage the media and share not just losses, but also wins. While the city of Atlanta‘s 2018 ransomware attack was widely covered in the media, what didn’t hit the headlines as much were the small “wins” in how the city dealt with the attack. For instance, the city did not pay the $51,000 ransom payment –  a loss for the cybercriminals – and also created a robust business continuity plan for its future, which Ghai called an eventual win.

The industry also needs to hold IT and device manufacturers accountable to better security – something that it has already started with the introduction of regulatory efforts. With the proliferation the Internet of Things, for instance, security is too often left in the dust – opening end users up to concerning security and privacy threats.

Most importantly, he said the cybersecurity industry needs to shift from a “culture of elitism to one of inclusion” by looking for defenders that are outside of the tech community. For instance, IT teams in industrial companies are also finding themselves increasingly dealing with operational technology teams in an effort to better secure industrial control systems.

Ghai said that business leaders and risk officers are now also interested in the story of cybersecurity – and in fact, more than 76 percent say cyber risk will increase in 2020 – but they remain on the sidelines. Instead, board and risk officers need to be the actors in the story, “the ‘zero-th’ line of defense, he called it.

Wendy Nather, head of advisory CISOs at Cisco, agreed, saying that the security space needs to shift its relationship with other industries. “We have to open up our security culture to everybody,” she said on Tuesday. “Security needs to be basic knowledge and freely available. We can’t shoehorn people into our narrow society culture.”

At the end of the day, security is a story that needs to include special attention to human characters, said Ghai. “Our story has global mindshare now – but we have lost control of the narrative,” he said. “We need to find the story of our industry playing its part.”

Data Breach Occurs at Agency in Charge of Secure White House Communications

A leak at the Defense Information Systems Agency exposed personal information of government employees, including social security numbers.

Hackers have compromised the Department of Defense (DoD) agency in charge of securing and managing communications for the White House, leaking personally identifiable information (PII) of employees and leading to concerns over the safety of the communications of top-level U.S. officials in the run-up to the 2020 presidential election.

Reuters first reported the data breach at the Defense Information Systems Agency (DISA), part of the DoD, on Friday, citing letters seen by the news outlet that were sent to people allegedly affected by the breach.

DISA, headquartered at Fort Meade in Maryland, provides direct telecommunications and IT support for President Trump, Vice President Mike Pence and their staff, as well as the U.S. Secret Service, the chairman of the Joint Chiefs of Staff and other senior members of the armed forces, according to the agency’s website.

Last week Andy Piazza, chief evangelist with phia LLC—a security firm specializing in cyber defense and cyber intelligence operating in the Washington area—posted on Twitter a photo of one of the letters, which was dated Feb. 11.

“During the May to July 2019 time frame, some of your personal information, including your social security number, may have been compromised in a data breach on a system hosted by the Defense Information Systems Agency,” states the letter, signed by Roger Greenwell, DISA CIO and risk management executive.

Piazza’s comment accompanying the letter suggests this is not the first time DISA has experienced a breach, pointing to a persistent problem in security at the agency that handles some of the most sensitive information in the world.

“Awesome,” he tweeted. “Got another #PII #breach letter from DoD. Is this like Pokémon where I want to catch them all?”

DISA employs about 8,000 military and civilians, but also works with private companies that have certifications to work as federal contractors.

The agency also was part of the task force that helped reform the government security clearance process following digital break-ins at the U.S. Office of Personnel Management in 2014 and 2015, according to Reuters. That breach resulted in the compromise of records belonging to more than 21 million current and former government employees.

At this time it’s unclear how many people may have been affected by the DISA breach, although a separate report said it could be as many as 200,000.

DISA does not believe that any data from the breach has been misused, Greenwell wrote. However, it is still taking steps to mitigate further breaches, according to the letter.

“We take this potential data compromise very seriously,” Greenwell wrote. “As a result we have put additional security measures in place to prevent future incidents and we are adopting new protocols to increase protection of all PII.”

Still, the breach is troubling on a number of levels. While DISA has not disclosed specifics on the leak in terms of the type of compromise and system affected, one expert suggested the threat actors were probably working on behalf of a nation-state–given the target–and is probably planning more attacks.

“No doubt this was a state-sponsored activity; this breach will be used to further target DISA employees with admin access to highly sensitive networks,” Rosa Smothers, senior vice president of cyber operations, KnowBe4, said in an email to Threatpost. “It’s a painful irony that the agency charged with providing secure comms for the White House has fallen victim to a data breach.”

The hack also could have grave implications for the upcoming presidential election, especially with the memory of Russian interference in 2016 still fresh in many minds. There already has been evidence that an Iran-based state-sponsored group tried to hack email accounts belonging to President Trump’s 2020 re-election campaign, which is just one of the numerous threats that currently exist that could undermine the integrity of the vote come November.

Burning Man Tickets for $225? Yep, Too Good to Be True

Scammers are posing as event organizers in a sophisticated fraud effort.

Burning Man aficionados anxious to get their tickets squared away for the 2020 “experience” should beware: Fake concert organizers are offering passes in what researchers say is a very convincing and sophisticated scam effort.

Burning Man, which bills itself as a “vibrant participatory metropolis generated by its citizens,” is scheduled to happen August 30 – September 7 in Black Rock Desert in Nevada. It attracts tens of thousands of people: Artists, music fans, celebrities, tech enthusiasts, off-gridders, hippies, new agers, old-school punks and more. It features a mix of communal villages, art installations, audio-visual presentations, and of course, setting large effigies on fire.

Tickets are released in stages; snagging one requires pre-registration and luck, as they’re limited. Prices run between $495 – $1,400, with low-income registration available for $210 – and vehicle passes are required on top of that. To boot, no money is exchanged at Burning Man, so participants are expected to bring food, supplies, shelter and anything else they might need – all adding up to a potentially very expensive jaunt indeed.

In other words, getting a ticket is a process and everyone’s looking to save money doing it. While scams looking to prey on fan desperation are common, researchers at Kaspersky said that a new wrinkle has emerged this year.

Fraudsters have set up a fake website (see below) that closely mimics the official Burning Man site, in an effort to fool visitors into thinking it’s the real deal. The cybercrooks have coopted the same colors, fonts and design elements as the real thing, and “it looks real to the untrained eye,” Kaspersky said, in a post this week. Further, “the URL contains the name of the festival — ‘burningman,’ which on its own may be enough to convince the inexperienced visitor of its authenticity.”

The ticket information section is nearly identical to the real site as well – with one crucial difference. Instead of requiring pre-registration, the scammers say that they’re offering tickets immediately – and for only $225.

“To hurry the victim along, the cybercriminals claim that only 300 tickets are left, and that the next batch will appear only a month later and at a higher price,” researchers explained. “The offer promises a ‘GUARANTEED benefit’ of 150 percent, no less, though what that ‘benefit’ might be is left to the reader’s imagination.”

Clicking the link opens an order form asking for personal details and payment information.

“Unsurprisingly, Burning Man has caught the eye of scammers, and all the more so because tickets are costly,” according to Kaspersky. “The official Burning Man website offers tips about avoiding scalpers and scammers. But that’s for dealing with third parties. A more deceptive scam, one that we recently uncovered, involves scammers pretending to be festival organizers.”

Burning Man fans can avoid being, well, burned, by carefully inspecting any site before entering payment details. Look for multiple pages, for one: Burning Man’s real website has event history, invitation to collaborate, press releases, archives from past festivals, and so on. Googling any special offers or discounts should also yield up not only the official site first, but also information about this and any other scams that might pop up, researchers advised.

Next Gen: Port SA helps shape young tech talent of tomorrow

More than 20,000 students have already visited San Antonio Museum of Science and Technology

SAN ANTONIO – Port San Antonio generates over $5 billion in annual economic activity in our region, and there are thousands of jobs on campus from dozens of different companies. The campus also focuses on more than just the present.

Port SA is looking forward, and in many cases that’s the youth and talent of tomorrow. From Tesla coils, the first personal computer, to real-time cyber threats across the world, students can find them all at the San Antonio Museum of Science and Technology.

“I like a lot, like the decoders, like the hackers. They make sure they don’t go on any other web sites that they shouldn’t be on,” 12-year-old Owen Balagia said. He visited SAMSAT with his Brentwood Middle School class, a school in the Edgewood Independent School District.

Owen said he already has an idea of what he wants to do when he grows up.

“I want to go to the NFL, or I want to be a computer scientist,” he said.

Owen and his classmates are just a few of the 20,000 students who have come through the museum’s doors.

“It’s a vehicle for children and young adults to take a look at science and technology, become inspired, and perhaps decide to have a career in those fields,” David Monroe, founder and chair of the San Antonio Museum of Science and Technology, said.

“The goal is really inspiration. They’ll have a chance here to see things they’ve never seen before. They’ll have a chance to hear about the history of science and technology from the past up to the present and inspire them to look toward the future,” Monroe said.

And getting them interested now, could have important implications for the future of San Antonio.

“What we lack today is the cyber-talent pool for my particular industry. And so, this brings together the greatest minds of all industry partners, as well as the Department of Defense, the Air Force, and intel community to make sure that we are working together to develop our future,” Jeff Medina, director of business development and cyber strategy, said.

And maybe students visiting like Owen will be part of that future talent pool.

“It’s pretty important, because I can learn about, like, how this can help me to like pursue my dreams,” Owen said.


Indian Police Open Case Against Kashmir Social Media Users

NEW DELHI (AP) — Authorities in Indian-controlled Kashmir have registered a case against unidentified internet users who employed virtual private networks, or VPNs, to circumvent a social media ban in the disputed region, police said Tuesday, in an apparent effort to stop their use.

Police said they misused social media “to propagate a secessionist ideology and promote unlawful activities.”

“Hundreds of suspected misusers have been identified and are being probed,” said Tahir Ashraf, who heads the police cyber division in Srinagar, the region’s main city.

Police said in a statement Monday that they have seized “a lot of incriminating material,” adding that the accused could be charged under the Unlawful Activities (Prevention) Act, which also allows the government to designate individuals as “terrorists.”

Police officials questioned several users about their social media posts. However, no formal arrests have been made.

Inspector-General Vijay Kumar appealed to the general public not to use social media via VPNs.

Kashmiris are evading censorship of the internet and social media by using VPNs, which are widely used globally to access restricted websites, after authorities in January allowed the restive region’s 7 million people to access government-approved websites, six months after cutting off the internet entirely.

In August last year, India stripped Kashmir of its semi-autonomy and statehood and imposed a total communications blackout. Authorities heralded the recent restoration of limited internet access as a step toward normalcy, but are continuing a ban on popular social media platforms such as Facebook, WhatsApp and Twitter.

Police officer Ashraf said, “misuse of social media has caused widespread disinformation and fake news.” It was unclear whether authorities would clamp down on general social media users over the ban on the use of social media sites.

Since the internet ban was partially lifted on Jan. 25, some Kashmiris have shared access to banned sites through VPNs and taken to the web to denounce the government’s actions in the region.

Critics say the tight internet restrictions are “far worse censorship than anywhere in the world” and could spearhead a new level of government control over information allowing it to further restrict freedoms in Kashmir.

“Everything is policed here. There’s no privacy in our lives,” said Ikram Ahmed, a university student. “Now we will have people in jails for the mere use of social media.”

The portion of the divided Kashmir region that India controls is one of the most militarized places in the world.

Kashmiri rebels have fought for decades for its independence or unification with Pakistan, which administers the other part of Muslim-majority Kashmir.

Archrivals India and Pakistan have fought two wars over the territory, both claiming it in its entirety. ___ Associated Press writer Shah Abbas in Srinagar contributed to this report.


Apple iPhone Users Targeted with Bogus Dating App for Valentine’s Day

The scam uses a range of themes, including tech-support scares and slot machines.

A malicious email campaign aimed at iPhone owners is making the rounds this week, using a bouquet of different themes to scam victims, just in time for Valentine’s Day – including a fake dating app.

The gambit begins far afield from romance however, with an email from “Nerve Renew,” claiming to offer a miracle cure for neuropathy. The interesting thing about this is that the email body is a picture, completely static.

“You cannot copy the contents and paste it elsewhere,” according to a Friday post from researchers at Bitdefender, who uncovered the campaign. “The sender wants to keep us inside the email body, clicking the malicious links inside.”

Those malicious links include a fake “unsubscribe” button at the bottom as well as the link behind the picture – clicking anywhere on the email body, either intentionally or inadvertently, will cause the scam to execute. Clicking the unsubscribe button takes users to a page that asks them to enter their email addresses – likely to validate whether those addresses are actually active.

Once the email body is clicked, the victim is taken on “a seemingly endless redirect loop,” until neuropathy is left far behind, and the victim lands on what purports to be a dating app for Apple’s iPhone.

Immediately, “Anna” starts sending invitations to connect via a phone call. If the recipient takes the bait and calls, the person will be connected to a premium number and will be charged per-minute for the call.

“It’s a trap! The girl in the picture is not Anna,” the researchers said. “Rather, it’s a chatbot. And the photo was likely harvested randomly from social media.”

Interestingly, the campaign’s authors put in a little extra effort to tailor the languages of this purported “dating app” to avoid suspicion.

“The scammers meticulously localized their dating app to display the messages in the recipient’s language, in our case, Romanian,” the researchers explained. “Although Anna’s Romanian isn’t flawless, she could pass for a native. And she seems suspiciously interested in getting together even though she knows nothing about us.”

The researchers also tested the email to see if clicking on the image in the body led to the same lure each time. The second run-through took them to an entirely different scam – this one centered around a slot-machine app.  In that case, the user was promised a chance to win a big jackpot and several “free spins.” Clicking on the button to spin however eventually leads to another redirect – but one that Apple’s Safari browser blocked in Bitdefender’s testing with a “Your connection is not private” message and a warning that the site could be harvesting user data.

A third click on the original email led the researchers to a sketchy VPN app, which, like Anna the chatbot, was language-localized. The swindle is a classic tech-support scam. Victims are told they’ve been infected by a virus via a security prompt that mimics the iPhone’s built-in security alerts. Clicking “OK” takes them to a website with a message that reads, “Multiple viruses have been detected on your iPhone and your battery has been infected and deteriorated. If you don’t eliminate this piece of malware now, your phone stands to incur additional damage.”

Clicking through surprisingly takes users to a legitimate app in the official Apple App Store, called ColibriVPN. Bitdefender noted that while it’s a real app, the service is shady at best.

“Upon starting, it immediately greets us with a prompt to start a free trial that gets automatically renewed after three days, and it’s easy to make expensive in-app purchases by mistake,” they wrote. “The in-app purchases are exorbitant – $61.99 for six months of full service – and the reviews are mostly fake.”

Colibri VPN did not immediately return a request for comment.

The multiplicity of the scam themes allows criminals to “preying on the diversity of people’s tastes and guilty pleasures,” the researchers said.

Users usually have several ways to spot scam emails before clicking through to the scams themselves, Bitdefender pointed out. For instance, in this case, the email sender (Nerve Renew) and the email address (lowes[at]e.lowes.com) have nothing to do with each other. The links are also shortened – a red flag.

However, mobile-first scams like this can take advantage of shortcomings in the mobile environment.

“This scam only works when you open the link on your iPhone [making it harder to inspect links],” the researchers said. “Basically, you have to long-tap the ad and use the ‘copy link’ option, then paste it elsewhere (like the Notes app) to see it. However, as we do this, iOS’s email client starts to load the link in a background preview window, essentially allowing the scam to unfold.”

These types of mobile-first scam and phishing attempts are becoming more common. For instance, also this week a banking app phishing effort was outlined by researchers, that targeted customers of more than a dozen North American banks, including Chase, Royal Bank of Canada and TD Bank. It managed to hook nearly 4,000 victims. And last year, a mobile-focused phishing kit was found that pushes links to users via email, masquerading as messages from Verizon Customer Support. These are tailored to mobile viewing: When the malicious URL is opened on a desktop, it looks sloppy and obviously not legitimate – however, when opened on a mobile device, “it looks like what you would expect from a Verizon customer support application,” according to researchers.

Port San Antonio’s new toy: A real-time cybersecurity threat simulator

SAN ANTONIO – The latest museum exhibit at the San Antonio Museum of Science and Technology is a new cybersecurity operations center (SOC), which provides students of all ages an opportunity to go through a simulation of a cyber threat.

“What we’re doing here is showing the public what threats are to the networks, what the reactions are, the effects of hacking into the networks can cause on daily life,” David Monroe, the museum’s founder said.

These threats go across the globe and can cause problems in your bank accounts, your electric power, or even your refrigerator.

“This is real data. These are attacks that are being levied against different networks in different countries. There are different kinds of attacks. So they’re color coded based on the type of attack that they are,” Monroe said.

Since the simulator is an interactive program, it can be a fascinating experience and learning moment for students.

“You need to be aware of the threats that these hackers and these cyber attacks can have on you or in your personal life. So you need to protect your own computers, your own networks, your own appliances in your home. There are national-level threats that can threaten our national infrastructure and D.O.D. and we should appreciate those threats and that our governments are working to protect us in those areas. And thirdly, there are a lot of jobs in the area of cybersecurity and a lot of those are in San Antonio. We’d like to introduce those opportunities to children and young adults so they can study it and become involved in these jobs,” Monroe said.

Cybersecurity expert warns of scams tied to coronavirus

Experts are warning of new scams tied to the ongoing coronavirus outbreak.

Shannon Wilkinson is a cybersecurity expert based in Las Vegas, but even the CEO of Tego Cyber Inc. gets scam emails.

Scammers are pretending to be health officials and promising new information like “updated cases of the coronavirus near you,” she said, in hopes, people will give up their personal data.

“There is one scam going around where they’re pretending to be the CDC asking for donations in bitcoin,” Wilkinson said.

Wilkinson said any time there’s a health epidemic or natural disaster, predators are ready to take advantage of others who might not be able to tell the difference.

Some ask for usernames and passwords. Others plant undetectable malware in a computer to track sensitive data entered on websites like banks.

Wilkinson said it’s usually easy to tell if an email is a scam: check the sender’s address and look for grammatical errors or phrases that seem out of place in the body of the email.

But she said scammers are getting more sophisticated.

“There’s a lot of little red flags but, unfortunately, cybercriminals are just getting better at masking their intent,” she said. “They’ve actually hired copywriters to help them with grammatical errors to make their emails look more legitimate.”

If an email looks suspicious, “don’t click on the link in the email, but actually go to what you know is the CDC’s website,” Wilkinson said.


How to Mitigate Cyber-Risk While Empowering a Modern Workforce

Resiliency is often something that businesses lack when a cyber event occurs. To combat this, businesses need to develop enduring security strategies around the technologies they currently have in place or plan to deploy.

So argued leading cybersecurity expert Theresa Payton, the president and CEO of Fortalice Solutions, speaking at the CDW Protect SummIT in San Antonio. Payton also served as the first female CIO at the White House and is the co-founder of Dark Cubed, a technology startup providing Cybersecurity Software as a Service.

“I’m not telling you to not integrate newer technologies, such as cloud or AI,” said Payton. “You have to. It’s the only way to cut costs and stay competitive.”

However, she explained that as businesses implement such solutions, security teams need to develop an incident response playbook, including user controls or authorizations and a “kill switch.” She also stressed the importance of getting buy-in from various stakeholders within the organization, particularly end users.

Take Critical Steps Toward Securing Your Business

Building an incident response plan starts with assuming the worst: that the technology your team is adding to its networking will, at some point, be a point of entry for a cybercriminal and will need to be shut down.

“Understand where the risk is so you can minimize it, but also so that when that event does occur, you’re prepared,” said Jeremy Weiss, cybersecurity practice lead for CDW.

When a breach takes place, Weiss told SummIT attendees, businesses must be prepared and know exactly what to do, in that moment. Many times, he said, the reality is that people don’t even know whom to call. A response plan will address that.

Beyond the playbook, teams need visibility into their own data — they need to take a step back to identify what data the business has stored, who’s accessing it and what systems it’s on. From there, the security team can make sure those systems are running both efficiently and securely.

And when it comes to adding modern devices to the network, such as Internet of Things technologies, Payton suggested that organizations should implement a fail-safe.

“These devices are trained to be turned on and be helpful to you, which means that they’re also trained to be turned on for nefarious purposes,” said Payton. “If and when you know there are issues, what’s the kill switch?”

Kill switches can be useful for organizations that witness anomalies in their network traffic, enabling them to shut down their systems to prevent the wrong person from gaining access to protected information. But while it’s a great method to help businesses mitigate risk, it can also impact on the end-user experience.

READ MORE: The 5 cybersecurity must-haves for every business.

Real Security Awareness Starts with Listening

Security is often seen as a hinderance to end users. Take multifactor authentication for example, which requires more tasks — and more time — for the user to access their device or information.

It’s really no surprise that convincing users to follow security best practices is a common challenge for security professionals. In fact, 50 percent of CDW’s Protect SummIT attendees cited this as their No. 1 cybersecurity challenge.

“The user is the most difficult thing to actually administer,” said Weiss. “But you still have to deal with users to keep your business productive.”

Payton, while stating that security awareness training is important, believes that there’s another, more effective way to reach users: active listening. She suggested that by listening to users’ problems and involving them in the decision-making process early on, they will have more respect for and interest in the security process as a whole. 

“Part of their daily job is to open up an email and click on links,” Payton said. “And you think you’re going to train them on which one is good, and which one is bad? Good luck.”

She suggested asking individuals what their nightmare is if their information were to get out. Often, this prospect is so terrifying for employees that they’ll work hand in hand with the security team to stop that from happening.

“Part of it is going to be clunky, but you’ll have their buy-in,” she said, “and this is how you avoid their nightmare. Once people learn to trust you and realize you’re going to listen, they will change.”

Check out our event page for more articles and videos from the CDW Protect SummIT.