[BreachExchange] Security Think Tank: Employees are one of the greatest defences

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 26 15:19:24 EDT 2017


Malware is very frequently delivered by email. The trusty attachment has
served criminals well and, given that we are clearly still opening them,
they seem happy to continue their use.

Part of malware distribution is found in the increasing use of other
web-enabled systems and devices, such as air conditioning management or
hospital imaging systems. A business with only an email system or standard
corporate network to consider will most likely limit change management and
training to that area. This is not the case for most, however, and even
security systems can be used to malware payload infection.

If we consider the recent ransomware outbreak that affected the NHS, we can
see this in action, as many systems compromised were not computers as such
but were things like imaging systems, which were using legacy platforms.
But the question here was related to email attachments and so, naturally,
we need to start with people.

When it comes to information security, employees are often cited as the
greatest vulnerability in many surveys and reports. According to the ICO,
it is beyond question that the majority of data breaches come from human
interaction with data and information.

Errors such as emailing something sensitive to the wrong distribution list,
losing paperwork or faxing the wrong recipient (yes, some people still use
fax machines) are common entrants on lists of data breach cause, year after
year, if you view the results on the ICO website.

But how many employees are genuinely engaged with security in our
organisations and businesses? After all, it doesn’t happen automatically or
by magic. But our employees need to be engaged. Engaged employees are
usually well-informed employees. To be well-informed, they need their
training and education to be relevant to them and to their roles and

A one-size-fits-all approach will not work as well as a tailored one that
deals with examples they recognise and respond to. Giving them 20 minutes
of e-learning a year will also be unlikely to suit all employee security
needs, as there will be varying degrees of ability and understanding and a
policy-driven approach, while supporting general business policy adherence
does not necessarily increase good hygiene or improve overall capability or

Employees are one of the greatest defenses an organisation has. The nuanced
response of an employee who has been well-trained and recognises that
something is amiss with an attachment – that may well have made it past
technology boundaries and security measures – is invaluable.

We need to use quality technology to back up well-trained staff, who are
fully bought into a culture that recognises the part every individual plays
in the security of their business. But data failure tends to start and end
with a human, so we need to make sure they are fully enabled to take
action. There needs to be clear guidance on how they should handle malware

We need to make sure that there is no reliance on technology, either from
staff or management. Instead, we need to blend technology such as email
scanning and network monitoring into our overall security strategy and be
open with employees about measures such as email monitoring.

With their support and well-trained anticipation of security threats comes
the beginning of the real change needed so the culture will become one of
resilience and readiness, with everyone playing their part.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170526/0e3e6b7f/attachment.html>

More information about the BreachExchange mailing list