James McQuiggan, Security Awareness Advocate at KnowBe4: “Ironically, attack methods have remained unchanged over the past twenty years”

“Ask me my three main priorities for government,” said soon-to-be British Prime Minster Tony Blair in 1996, “and I tell you, education, education and education”. We got a similar vibe from James McQuiggan, a Security Awareness Advocate for KnowBe4, who clearly believes that education is vital for a modern business fending off cyberattacks.

“One of the biggest challenges is fostering a culture of security awareness throughout the organisation,” he explains in the full interview below. He added: “Leaders must invest in continuous education and adopt a proactive rather than reactive stance on cybersecurity.”

James is in a great position to educate users. Working with the Center for Cyber Safety and Education, he has taught the Safe and Secure Online education and awareness program to over 7,000 students, parents, teachers and the “life-experienced” (seniors) to ensure they understand the dangers of the internet.

Prior to KnowBe4, James worked for Siemens for 18 years where, among many other roles, he was responsible for security awareness and cybersecurity standards. He’s also a part-time faculty professor at Florida’s Valencia College in the Engineering, Computer Programming & Technology Division.

Just to hammer home the theme of education, education and education, we’ll finish with the fact that James is the President of the Central Florida (ISC)² Chapter where he supports cybersecurity professionals with education and networking opportunities. Read on, and you might just learn something!

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

My name is James McQuiggan, CISSP, and I’ve been in the industry for over 20 years. I’m a Security Awareness Advocate with KnowBe4. I went from stage managing in theatre to working on computer monitoring systems for power plants and compliance, and eventually into the world of cybersecurity when I obtained the CISSP certification in 2008.

What are some cases of deepfakes being used that mainly concern you?

We’re seeing deepfakes being used in the political space in India, Slovakia, and now in the US as cybercriminals leverage deepfakes to deliver misinformation to people in those countries, especially during an election year. Specifically in the US, a deepfake audio of President Joe Biden was created to sway voters in the state of New Hampshire to not vote in the following day’s primary election.

What do you think are the best approaches to combating deepfakes?

One of the most significant ways to approach deepfakes is through education within organisations’ security awareness training programs. While users are educated on various social engineering tactics cybercriminals use, it’s crucial to emphasise the need to watch out for deepfakes. Individuals must be educated on the latest attack methods and how cybercriminals use AI to create believable language and deepfake videos or audio.

This plan involves a frequent and robust security program to protect themselves from AI scams. It must include AI experts within organisations to be up to date on current attack methods and pass that along to the users. Users should have a healthy scepticism and verify the authenticity of online interactions, which can serve as crucial defences against AI-enabled fraud.

Worth a read: State-sponsored attackers backdoor Cisco firewalls to hack into government networks

What are some of the major trends in ransomware professionals need to be aware of?

According to the World Economic Forum‘s latest report on trends in 2024, ransomware activity was up 50% year on year during the first half of 2023. Cybercriminals continue their business model of making ransomware readily available by providing Ransomware-as-a-Service (RaaS) kits. These inexpensive kits cost around $40 and allow scammers to attack frequently and faster. Cybercriminals are not only targeting sensitive information from organisations but also personal information.

What are the biggest cybersecurity challenges those in leadership roles are facing?

Leadership faces several challenges regarding cybersecurity: cyber attacks, risk management and the need for more resources.

Leadership must ensure that their cybersecurity program aligns with business objectives and is resilient against sophisticated phishing threats, ransomware attacks and insider threats.

One of the biggest challenges is fostering a culture of security awareness throughout the organisation, ensuring every user understands their role in safeguarding the organisation’s systems and data. Additionally, the rapidly growing technology components like AI, big data and quantum computing provide the need for more skilled cybersecurity professionals. Leaders must invest in continuous education and adopt a proactive rather than reactive stance on cybersecurity.

What are some prevention strategies you believe every business should adopt?

Every business, regardless of size or industry, should adopt a multi-layered approach to cybersecurity. It should include regular vulnerability assessments and penetration testing, implementing strong access controls and encryption, maintaining up-to-date backups in secure locations, and, most importantly, employee training on security awareness.

Organisations should adopt and implement security awareness training and have a strong security culture. The security awareness training program should be frequent. It doesn’t need to be a computer-based training each month, but there should be newsletters, posters, videos and lunch-n-learns as the various methods to inform and educate cybersecurity users.

Reward those who spot actual phishing emails or complete their training. Conduct weekly simulated phishing exercises with the users to increase their knowledge and mindfulness of using email without rushing or multitasking. Staying focused on email and being aware of the tactics used by cybercriminals will provide a strong defence for organisations and reduce the risk of a successful attack.

Additionally, businesses should develop and regularly update their incident response plans to ensure they can quickly and effectively respond to any security breaches.

Worth a read: ByteDance says it has no plans to sell TikTok and refuses to bow to US pressure

What is it about generative AI that makes it so prone to exploitation by threat actors? Conversely, how can it be used for good (in cybersecurity)?

Generative AI is a tool, and like any tool, it can be used for good and maliciously for nefarious purposes. Cybercriminals are leveraging GenAI and AI for their own needs to do the same that organisations use today. To automate tasks, improve productivity, and get a significant Return on Investment (ROI) for its functionality. Like users, they want to summarise a large document into one paragraph. Cybercriminals operate similar business models where they want to make money, but unethically.

What’s something that has drastically changed about cybersecurity since you first got started in the field?

Ironically, attack methods have remained unchanged over the past 20 years. Cybercriminals get access via social engineering attacks or unpatched and misconfigured systems and breach a system to steal data for financial gain. Cybercriminals have improved their ability to access organisations and steal data faster. On the flip side, the organisation’s ability to detect attacks has improved to reduce the impact and work to restore systems to their fully operational state.

What advice do you have for aspiring professionals wanting to work in cybersecurity?

For students, second-career entrants or post-military people, one of the critical statements I provide outside of getting certifications and education in cybersecurity is to network. Network with local professional organisations. Find a mentor to chat with about job prospects, tips for resume building, and to have someone to practice interviewing skills with.