When thinking of data breaches across the board, the initial thought that comes to mind is the lone hacker sitting at their computer attempting to gain access to a specific company's server. According to Eddie Schwartz, chair of ISACA's Cybersecurity Advisory Council, "If we look at security breaches over the last five to seven years, it's pretty clear that people, whether it's through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities."
It's pretty clear that people represent the single most important point of failure in terms of security vulnerabilities.
By Schwartz' admissions, it seems that most breaches aren’t occurring through a specifically targeted attack but rather through a series of blanket malware or phishing schemes. These attacks are more blanket attacks aimed at gaining success through numbers and the hope of some individual unknowingly compromising themselves the company. This begs the question; what is the best way of addressing cyber attacks, and how can companies better train employees?
Steven Ross at BizTech wrote that corporate culture is the vital but most often overlooked aspect of establishing a highly secure organization. Ross emphasized the importance of setting the right tone from a top-down point of view, stating “frontline employees who actually use data every day generally follow the lead of their own supervisors.”
Business metrics are key, but how one makes money can be just as crucial as how much money one makes.
Ross advocates that middle management should not be given perverse incentives. He believes that a department manager who hears, “Yes security is important, but…” and is then told to boost sales, meet quotas or cut costs will see no benefit in promoting the secure use of information. The manager will instead see an increased workload without incentive or reward. Business metrics are key, but how one makes money can be just as crucial as how much money one makes.
The benefits of establishing a policy that encourages employees to completely buy into security practices can go a long way in ensuring not only the company's security but their own.
Here are a few things that could be done to facilitate and encourage the development of this culture:
Perform Training drills
Conduct exercises that simulate an attack on employee positions. Companies like ISC2 perform phishing tests, in which the IT team sends out fake phishing emails to all employees across the organization, and gauge how many people click on it. Using these metrics can help to identify and address problem areas, inform employees of phishing tactics as well as other things.
Evaluate and Identify
By evaluating and identify areas of improving your IT team can best find a solution and develop a healthily sustainable plan moving forward. This plan will not only address the areas of weakness but also be updated with the latest information on risks and other methods of attack.
Train and Educate
Incorporate lessons learned from evaluations as well as routinely update and train employees in relation to the nature of current threats and how to best avoid them. Teach end users about privacy, security, and how the lessons learned at work can be applied at home.
Reward team members who find malicious emails, and share stories about how they helped thwart security issues. Even a small incentive or recognition can go a long way in encouraging individuals to be proactive.
Ultimately, taking small steps will develop and foster a culture of security. While there may need to be some investment of capital in order to incentivize and train personnel. If it stops a breach of data, let alone potential hours spent dealing with the issues or loss of productivity, the benefit is priceless.