Asked what it would take to reduce the risk of a successful cyber attack by over 70%, most CISOs would probably list further big investments in yet more sophisticated systems. What might surprise them – and delight their CFO who’d be spared the expense – is that it’s possible to achieve this quantum reduction through an altogether more straightforward way; changing employee behavior.
OK, so we’re dealing with people here so it’s not that straightforward, but I’m going to argue in this blog that one of the most cost-effective ways of successfully withstanding cyber attacks is through more TEA (training, education and awareness). And that in the process you can turn your people from being the weakest link in your defence into your strongest one.
Most domain experts would agree that no amount of systems, policies or technology can be successful in protecting an organization if these don’t consider the ‘people factor’.
People can be malicious; as in those ‘bad actors’ that design viruses aimed at disrupting or destroying an organisation. But they are more likely to be lazy; as in those staff who write down their passwords and leave them in public places or those who attach their personal devices to the organisation’s IT systems without installing the necessary protection.
People can even become mischievous overnight; as in a disgruntled member of staff whose employment status has changed or believe that they have suffered a slight of some sort.
But is it in fact correct to label your people as the weakest link? Consider this scenario: an employee opens an email attachment despite a warning, displayed on their screen, that doing so is unsafe. If opening that attachment results in a malware infection that compromises the organization’s network, then management may see that employee as a weak link.
But what if that employee was not trained to heed those warnings? What if they were not aware of the very nasty consequences that such clicks can produce? You could argue that the lack of training and awareness is management’s fault, and therefore that management is at fault here and therefore the weakest link.
One of my US colleagues carried out an – albeit small – survey into this area and found that ‘a third of employees are using computers despite having received no cybersecurity training from their current employer’ (Click here to read his blog if you’re interested in the details).
Even those who have had cybersecurity training can still be persuaded to drop their guard. A not-so-subtle type of penetration test that I carried out whilst at my former employers, the Dorset Police, bore this out. Despite a significant amount of training given to serving police officers, I managed to persuade a startingly number (6%) to click on a link.
These types of social engineering attacks are the most pernicious because they take advantage of our training by society and our parents; that is to be helpful, courteous, and trusting. And I’d add respectful to this list too. It would take a brave staff member to challenge ‘the people above them’ but that is what they must do if they feel they aren’t addressing a security issue sufficiently or worse still, not enforcing an existing process.
Of course I’m not suggesting brain washing people into rejecting the very values that their parents and teachers worked so hard to inculcate into them, but that all these factors, including varying attitudes and behaviours – need to be considered when designing and implementing an appropriate safeguarding system.
So how far should a CISO be involved in devising an appropriate TEA programme that takes into account all of the above? I’d suggest that ‘very’ would be a good answer. After all, he or she will be answering to the board if the attack is successful.
And the CISO is not expected to give the training themselves, simply to ensure that the appropriate level of resources is devoted to this area; that sufficiently robust policies and procedures are put in place (and crucially, adhered to) and that lapses or failures are swiftly addressed and dealt with.
Here’s the plug. My company offers some excellent online training in this area. It should not be viewed as a complete panacea but it is a start. Click here if you want learn more about our Free ESET Cybersecurity Awareness Training courses.
Jake Moore 