[BreachExchange] Want to help stop cyber security breaches? Focus on human error

Thu Jan 24 19:44:19 EST 2019

https://www.zdnet.com/article/want-to-help-stop-cyber-security-breaches-focus-on-human-error/

When you think about cyber security incidents, the images that are likely
to come to mind are nefarious hackers breaking into a corporate network to
steal data or a ransomware attack that shuts down systems at a bank or a
hospital.

The fact is, research has shown that the majority of information security
attacks stem from human error, not from malicious intent. With the first
quarter of the year and the busiest hiring season underway, it's imperative
that organizations put together a training plan for new employees who are
not up to speed on cyber security basics, according to the National
Cybersecurity Center (NCC).

The non-profit organization, which helps business executives protect
against cyber attacks, said employee education and applying common sense
practices needs to be a priority at companies -- and could end up saving
them millions of dollars.

Here are steps organizations can take to provide employee education and
training to mitigate attacks caused by human error, according to Jonathan
Steenland, COO of the NCC.

FOCUS ON CONTENT INSTEAD OF TOPIC

Most security awareness training is conducted by IT, which means it's
focused on information security as a topic and doesn't emphasize the human
element of the risk sufficiently. Effective training includes content that
addresses the threat's psychological, behavioral, and economic aspects,
Steenland said, with practical advice on how to spot scams and protect data.

LINK THE RISKS TO EMPLOYEES' LIVES IN THE REAL WORLD

Take staff demographics (age, technical proficiency, etc.) into account and
create a program that focuses on employees' lives and the risks they face.
"Most people can't fathom losing millions of dollars due to an
organizational data breach," Steenland said. "But they can imagine having
their personal bank account hacked and their money stolen. Make it
personal."

WORK WITH MARKETING TO MAKE TRAINING STICK

Too many companies create cheesy, overly long security awareness training
modules that seem designed to tick yet another compliance box, Steenland
said. IT and security executives need to work with the marketing team to
come up with bite-sized training modules with snappy taglines and engaging
graphics. These should grab employees' attention and deliver a compelling
call to action.

FOLLOW UP WITH TESTING

Let employees know there will be tests, such as a white-hat phishing
expedition or an unescorted visitor in the workplace to see how employees
use their new knowledge to spot scams and intruders. Followup testing also
provides a baseline to measure the training's effectiveness, so that the
company can gauge security program maturity going forward.

RECRUIT ORGANIZATIONAL INFLUENCERS TO DRIVE ACCEPTANCE

To get true buy-in on security awareness training, it's a good idea to
enlist key influencers within the organization to serve as ambassadors for
the program. "A 'train the trainer' effort can extend program reach beyond
the original modules, and help make security awareness a core component of
company culture," Steenland said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190124/ca25aef1/attachment.html>