I’m afraid we’ve over-romanticized the concept of cyber security in many ways. We imagine ourselves as Mr. Robot, staring at our terminals intensely, valiantly defending against state-sponsored DDOS attacks in real-time. I don’t want to discount the validity of these events, because they can and do happen quite frequently. The problem is, we often neglect to address the biggest and most prevalent vulnerability in our environments – the humans.
Studies consistently reveal that over 60 percent of security breaches are due to some sort of employee error. We’ve reached a saturation point where we’re rarely separated from our devices. Often this means that employees are always within arm’s reach of their corporate networks. Disaster is literally just one click away. There’s almost always a human element to a breach, whether that be malicious intent from a disgruntled employee or a simple oversight by well-intentioned personnel.
Don’t forget the importance of employee training and awareness in your role as a security professional. Here are a few practical ways that you can patch your humans:
I’m not talking about a 5-minute click-through Powerpoint presentation sent out through an all-staff email. You’ve probably had the same experience with this as I have – BORING. Make your training sessions interactive and practical. We used to do “Lunch and Learn” sessions once a month where we’d order pizza and have a very conversational training session, with interaction and questions welcomed. You can even hire a third-party or bring in guest speakers to make the training memorable and valuable. Be creative!
I can tell you from experience that most employees don’t see themselves as a threat to security whatsoever. This is a point that you MUST drive home. They need to know that they are an important layer to your security. Not only should they realize the importance of adhering to policies and best practices, but they should be aware of the consequences for not doing so.
Teach your users that everything should be implicitly mistrusted with a skeptic’s heart. Email attachments, URLs, application installers…teach them to have an eye for detail. Also, encourage open dialog between users and your security team. If they have a question about the validity of something, make sure the door is open for them to reach out and verify. The old carpenter’s adage, “measure twice, cut once” comes to mind. Better to be sure now than to be sorry later.
I recall working in a hospital years ago installing replacement thin client machines. As I began removing old keyboards, one by one I found the login passwords on a sticky note underneath. This is the equivalent of keeping your spare house key under the door mat, the first place someone would look. I think “Cyber Fatigue” has caused us to develop many bad habits and practices. We have so many online accounts that it’s just easier to recycle passwords and user names rather than trying to remember them all. Troy Hunt has developed a phenomenal tool for checking your email addresses and passwords for compromise at his site haveibeenpwned.com.
These are just a few tips to get you started with employee awareness, but these certainly aren’t the end of the conversation. You should be constantly training, evaluating, and re-evaluating your efforts with security. The bad guys never rest, so we must also be relentless in our defense efforts.
All the best,