[BreachExchange] Employees are in the cyber attack firing line, so educate them well

Mon Jul 31 21:21:57 EDT 2017

https://www.webmarketshop.com/employees-are-in-the-cyber-
attack-firing-line-so-educate-them-well/

That magical cyber amulet that is going to stop every cyber attack and make
our organisations resilient and future proof has prove elusive so far.

And on a not unrelated subject, some of us may be wasting large chunks of
our security budget in the search for magic bullets, while simultaneously
providing employees with 20 minutes of e-learning once a year and wondering
why we are still experiencing security failures.

When those failures inevitably happen, the finger of blame tends to point
to the user. But the truth is that we fail users by implying that they are
stupid while simultaneously providing them with poor-quality education (if
at all) and through poor leadership and direction.

We have decent health and safety legislation and our workplaces are safer
than ever – but people still have dreadful accidents at work. However, if
this is shown to be due to poor or ineffectual training, we blame the
negligent employer. That employer will face legal action, and quite rightly
so.

But at the moment, it feels like if you make a cyber mistake because your
training was not fit for purpose and you don’t understand the policy, then
you must be a stupid user.

I am the first to acknowledge that training can be difficult and
potentially expensive (a bit like dealing with a security breach). If you
are a large, complex or multi-site organisation, making sure all staff get
regular, well-crafted and pertinent training may be very challenging. But
the truth is, as things stand, people are the first line of attack and
defence.

Attackers know that we place a greater premium on technology and people are
often poorly trained, and so security culture is lacking. As an attacker,
would you try to storm the castle gate or find an untrained stable-hand to
let you in? Chances are most employees will offer more opportunities to
criminals to weasel a way in, than trying to break down heavy technical
cyber defences on a front door.

So it won’t surprise you to learn that I am still going to suggest training
and education for all employees, management and board members. Either that
or remove network access and email access from those who have not achieved
an appropriate level of understanding. You can back this up with effective
email monitoring and anti-malware to filter out known threats headed
towards their inbox and save them some time and trouble.

Get an incident response plan and team in place, drill and test the plan
and keep the team up to date with developments. Make sure you have a good
communicator on the team to ensure organisational clarity at all times. A
senior manager or director should also be involved to provide leadership, a
champion who will help improve security culture.

To back this up, use network monitoring to make sure you are getting the
most up-to-date information for the team to respond to and disseminate to
the business. Learn from the mistakes of others and decide what your policy
will be on sharing information about security incidents and how you will
approach any resulting media responses.

Remember that sometimes there will be people using physical systems that
also need protecting and including in response and management. Until the
cyber amulet or silver cyber bullet appears to save us all, we must address
the people issue. Although training and education can be challenging, the
truth is that well-educated people are actually the best defence we have.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170731/053d1b21/attachment.html>