Education and Communication are Key to Business Cybersecurity

The landscape of both technology and cyber threats is constantly changing. That means that cybersecurity and business concerns are constantly changing as well. It’s never been more essential to build a strong security culture in your organization and to stay ahead of threats. The more people and systems involved in your company, the more complex security becomes. But a focus on education and communication can help.
See Cybersecurity Training: From Boring to Engaging with Howard Goodman for a complete transcript of the Easy Prey podcast episode.
Howard Goodman has a doctorate in cyber operations, and his distinguished career in cybersecurity spans over two decades. Currently he works for Skybox Security, as well as working as an adjunct professor teaching graduate courses to help adults learn more about cybersecurity.
Cyber Threats Can Catch Anyone
During covid, Howard and his wife sold a lot of things on eBay. They had a lot of trouble getting their eBay account added to their bank account. When looking for help, all they could find were online articles. But they really wanted to speak to someone who could walk them through it.
Howard Googled the eBay support phone number and called the first number that popped up. The person who answered the phone said, “eBay support, how can I help you?” Howard explained what he was having trouble with, and the person asked for his username, then for a one-time password that would be sent to his phone. After Howard provided all that information, the person spent another fifteen minutes helping him resolve the problem.
It wasn’t until Howard got off the phone that he realized what had happened. He immediately called his bank and explained the situation. The bank fixed it and at the end of the day, nothing terrible happened. But it was embarrassing. In any other situation, he would have realized that he couldn’t be sure that was really eBay’s phone number and that he shouldn’t read one-time password codes to someone on the phone. But in this case, the circumstances aligned and it seemed logical. Even security experts can get caught by these kinds of things.
You have to be on your game 100% of the time. The reality is, the attacker … only has to get it right once.
Howard Goodman
Business Cybersecurity Training is Essential
An important thing to remember about cybersecurity in business is that not everybody is going to be a full victim to a specific attack. In fact, most people who get a suspicious email, text, or phone call are going to delete it or hang up. But they often won’t report it to the IT team, either. And there are additional risks when people are working remotely or have access to work emails when they’re away from the office.

Criminals are going to attack everyone. That makes cybersecurity education essential to your business. The more your people are aware, the more likely they are to be able to spot and avoid phishing attempts, which keeps your organization more secure.
Cybersecurity education is also getting better. It’s becoming more fun, interesting, and entertaining. People are starting to realize that boring stuff just doesn’t work. We’re all used to visual and audio mediums and things that are more engaging. Getting people’s attention is critical to getting them to learn. There’s a big difference between the cybersecurity training that exists now and what Howard saw fifteen years ago. We’re seeing new technology emerge, but we’re also able to leverage that in training and education to make it more interesting and more likely to stick.
Internal Teams Must Communicate
The bigger your organization, the more important it is that you have strong cybersecurity. But that also means that you have more people on your teams. Large companies often have separate cybersecurity teams and network operations teams, and sometimes even a separate network security team. That’s a lot of moving parts and a lot of people who have to get it right all the time to keep attackers out.
Skybox did a study of businesses that had had cybersecurity incidents, and found that while 90% of them said they had communication channels between the relevant teams, 76% also said the security failure was due to a breakdown in communication. Teams, like individuals, can make mistakes. But they must be able to communicate effectively to proactively deal with risks.
The only real way to be proactive is to know about potential risks, then looking at ways to mitigate these risks.
Howard Goodman
Some of this is just a simple lack of knowing the language the other teams use in order to communicate effectively. Some if it is teams not taking the effort to be open and transparent with each other. When the teams are competing for resources within the business, cybersecurity can suffer because of an adversarial relationship. And often these two teams have different goals – security prioritizes things being secure, while network prioritizes functionality – that can oppose each other. Howard believes that applying a framework and viewing security as a journey and not a destination can help bring the teams together.
Tips to Get Teams Communicating
One of the best things you can do for cybersecurity in your business is to cross-train your security and network teams. Both teams should know what the other team does and how that fits into what their own team does and the business as a whole.
Both teams should do cybersecurity training and education together, as well. That helps keep everyone on the same page and provide common concepts and language to start from. Running training exercises with the two teams together can help keep that commonality fresh.

Beyond just your network and security teams, every business should run cybersecurity disaster simulations regularly as well. Not only does this provide good practice, it also helps you identify any sticking points where communication might break down in a crisis. Then you can resolve them in advance, instead of dealing with it in the heat of the moment.
Finally, Howard recommends asking everybody, from the CISO to the junior engineers, their opinions. Everybody has a different perspective. And while you probably won’t need to act on every individual’s opinions, you never know who might see something that everybody else missed. It helps give you a fuller picture of what’s going on and any potential problems.
I think security is everybody’s responsibility. I think that it’s a team effort.
Howard Goodman
Exposure and Exploitability
Lots of cybersecurity people use “exposure” and “exploitability” interchangeably. But when Skybox does cybersecurity consulting for businesses, they think it’s important to talk about the differences. Exposure is knowing what people can get to. Exploitability refers to known vulnerabilities that could be exploited.
Both of them are important because they work differently. If there’s a vulnerability, the solution is a patch. But the reality is that with organization, functionality comes first. You need to run your business, and your business needs tech. If the tech goes down, you’re not making money, and if you don’t make money for too long, you’re out of business. Just look at the CrowdStrike incident not long ago, where a patch shut down businesses across the world. When it comes to accepting the risk versus not being operational, most businesses will choose to accept the risk.
The reality is with organizations … functionality comes first, before security.
Howard Goodman
Skybox’s approach is to look beyond this binary. You can test a patch before you apply it to make sure it won’t shut down your operations. But that takes time, and many vulnerabilities need fixed ASAP. If you’re not willing to apply the patch without testing, what other options do you have? Chances are good that there are other security controls in place that you could leverage to reduce the risk. This also comes back to your teams communicating. If your teams can’t communicate, they don’t fully know your systems’ capabilities, and that increases your exposure window.
Different Organizations, Different Challenges
Many newer businesses are building their systems with security in mind. They also start with different technology, such as cloud-based systems, that often have a wide variety of cybersecurity and business solutions available. Older companies may have outdated and vulnerable systems, or assume that since their business doesn’t have much to do with computers, they don’t need to invest very heavily in securing them.
But that’s only part of the picture. There is also a cost factor. Older, established businesses tend to have more funds available that they can invest in infrastructure. Newer companies often need to turn a profit as soon as possible, so may hurry the product out and plan to go back for security later.
In terms of cybersecurity, there are all sorts of approaches organizations can take, some of them better than others. Different industries, technology adoptions, and phase of business life cycle are not necessarily better or worse than any other. They each present unique benefits and challenges to cybersecurity and business.
Every Business Needs Cybersecurity
Cybersecurity and business is always a process. You never know where the state of cyber threats is going to go, and businesses are always changing. It’s never a one-and-done conversation. You have to keep up with what’s going on. In the past, “trust but verify” was the maxim, but now that no longer works. You have to tighten security and verify first, otherwise you’re at risk.
I always used to say “Trust but verify” … now I think that’s no longer viable. … Verify it, then trust.
Howard Goodman
Security is an operational cost. It doesn’t go towards your profit, but without security, chances are good that you’re going to lose your profit. Security breaches can result in fines, lost intellectual profit, compromised accounts, and a bunch of things that could potentially shut you down forever. In 2012, Howard was consulting with a large organization that lost hundreds of thousands of credit card numbers in a breach. Their security was so bad the federal government got involved. Dealing with the issues was a grueling process. These are the risks you run if you ignore security.
Learn more about Skybox Security and find a lot of virtually-free resources at skyboxsecurity.com. You can connect with Howard Goodman on LinkedIn.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
- Uncategorized
CISO Challenges in a Changing Security Landscape
The role of a Chief Information Security Officer (CISO) is constantly changing. The shifts in technology and…
[Read More]Business Automation is Great – But Some Things Should Be Left to Humans
As we see an increase in cyberattacks, it’s more important than ever for companies to be able…
[Read More]How to Spot Fake Emails and Avoid Danger
The good news is that you don’t have to become a cybersecurity pro to protect yourself from...
[Read More]Education and Communication are Key to Business Cybersecurity
The landscape of both technology and cyber threats is constantly changing. That means that cybersecurity and business…
[Read More]Money Lender “Dave” is In Hot Water with the FTC and DOJ. Scam or False Advertising?
Money-lender Dave does the one thing that all scammers do: It lied to its target through its...
[Read More]