Everyone will be a cyber security expert
As enterprises have shifted from centralized control to more open, enabled modes of business, in which every member of the organization has wide access to networks, so has the responsibility for network security. The strong centralized control benefited security but restricted the ability to do business. Today, technology allows an intense pace of electronic transactions to take place. But granting more employees access to connected tools not only enables business, it also puts it in danger. Now every member of the enterprise is responsible for ensuring they do not unwittingly put the network at risk. This creates a very dangerous situation in which every employee poses a security risk, though most do not consider security part of their job function and have had very little if any security training. It is this lack of security awareness that poses the greatest risk to enterprises today.
Securing the human factor
Modern IT security tools such as firewalls, IPS, antivirus, EDR, WAF, DLP, asset management and vulnerability assessment tools enabled all enterprise users to perform all activities, unrestricted, and effectively opened the bottleneck. Now we must focus on securing the most rampant cause of network breaches, the human factor. In the past we only considered the security training and preparedness of the IT security staff, now we must develop and implement and effective training and awareness programs for every member of the enterprise. To truly increase awareness and change security behaviors, training programs must be hands-on, ongoing and as realistic as possible.
Security awareness training for enterprise employees
More than 90% of security breaches originated with internal enterprise employees. The insider threat can be malicious, but most often it is simply caused by an innocent mistake. Hackers invest in human engineering to devise tactics that trick users into making simple mistakes to penetrate corporate networks. Clearly, the standard procedures covered at new employee training and occasional email reminders are not enough to ensure safe behaviors and maintain a high level of security awareness for all employees. Security training must become a regular part of the routine, allowing every employee ample opportunity to practice what they learn, be assessed and get actionable feedback about their level of security awareness and things that should be improved.
Keeping security professionals at the top of their game
the technological advancement of security products and sophistication of cyber attackers requires a new generation of cyber defenders that know how to manage and maintain a wide set of advanced security tools to prevent and respond to cyber events in the organization. The richness of the technologies deployed in every organization, in both quantity and quality, requires an extremely high level of knowledge and experience. There is an acute lack of qualified cyber professionals, to the tune of hundreds of thousands of unfilled positions across the United States. This lack of professionals means that most organizations need to find ways to increase the impact of every member of the security team; from fresh new recruits to the most senior analysts. The most effective way to dramatically improve the capabilities of all levels of security staff is to offer hands-on training sessions with the same tools set deployed in the organization. Much like flight simulators used by pilots, the more realistic the training experience the more effective it is at quickly improving performance and preparing people to respond correctly in high-pressure situations. Training regimen should include individual and team simulations on a wide variety of relevant attack types. Under no circumstances should the first time a security team member confronts a critical breach situation be when it occurs. Ample simulation training responding to a wide variety of scenarios guarantees fast, coordinated, effective response under fire.
Cybersecurity moves to the boardroom
I spend a lot of time discussing cyber security with C-suite managers in various industries and assessing their take of the state-of-affairs and necessary courses of action. I once asked a vice president at a large bank what she thought about cyber security. Her response was, “Cyber security has moved from the backyard of the IT department to the center of the boardroom.” The importance and implications of cybercrime have advanced by leaps and bounds. Board members now bear personal responsibility for cyber events that affect the organization. We see proof of this in growing cyber security budgets and the advent of cyber insurance policies. Unfortunately, the board of directors still lacks detailed familiarity with how security works. CISOs and security directors can play an important role in filling this awareness gap.
In addition to initiating joint reviews of business critical assets and aligning security measures, security leaders need to help the rest of the executive leadership understand that investing in training is just as important as investing in tools. Without awareness, attackers will always find a way to circumvent technology via the human factor.
Therefore, I declare 2017 the “Year of Cyber Awareness”.
Cyber Security Awareness Training – Quick Guide
Budgets for cyber awareness training must grow substantially in 2017, even if at the expense of other activities or procurement. Nobody likes to increase spending, but this is simply an unavoidable cost of doing business in a connected, high-risk world. Effective cyber security awareness programs are the only way to effectively reduce the last unaddressed organizational vulnerability, the human factor, and thus reduce the risk of enduring costly breaches. This strategic investment should produce a net gain in terms of reduced risk and costs. Ideally, for the average SMB enterprise, awareness training budgets should be equal to or greater than for security technologies.
Wise men and women before me have said, “There are two kinds of organizations. Those who know they have been hacked and those who don’t yet know it.”
Remember this adage and invest in organizational wide security awareness training to reduce corporate risk.
Itche Weinreb is VP Product at Cyberbit