Did you know that most cybersecurity and data breaches occur because of people than a lack of technology? While it is important to do everything we can to improve the security of our technology, if we ignore the human weaknesses of IT security, we’re leaving a gaping hole in our defense for attackers to exploit.
The reality is that employees are both the biggest threat to businesses as well as one of their best defenses. Some employees are, unfortunately, still a bit too ignorant about safe online practices and the threats that are poised to attack, whereas others choose to not take cyber threats seriously at all. All of this means that employees, as end users, directly affect network security. They often fall into the role of the “weak link” in the chain of network defense due to their lack of knowledge and training or care.
Modern hackers frequently use highly-tailored and sophisticated phishing emails to appear as authentic communications and fool their intended victims into clicking on a malicious link or downloading a compromised attachment. As the threat of viruses has begun to decrease, malware threats have been on the rise the past several years.
Because no anti-virus, anti-malware, or firewall can single-handedly stop every cyber threat, it further emphasizes the need for defense in depth solutions that look at threats from all aspects. And this has to include the use of your own employees as informed gatekeepers.
Many employee-related cybersecurity threats can be addressed by building a “human firewall.” This involves the implementation of an effective cybersecurity user awareness training program as well as other initiatives.
Cybersecurity User Awareness Training
Simply put - the more cyber-aware your end users are, the more protected your network will be. In a nutshell, cybersecurity awareness training is a program that informs employees about how to identify cybersecurity threats and how to quickly and effectively respond to mitigate any potential damage by helping them to recognize:
- Social engineering attacks, which are at an all-time high;
- CEO fraud, which is rapidly increasing and results in significant losses for businesses worldwide; and
- Ransomware, the use of which spiked dramatically in 2017.
This cybersecurity awareness training also helps to reduce risks that your organization can otherwise face by making employees aware that they should not be using work devices for personal activities like playing games or shopping online. Much of the training and recommended best practices overlap with other policies and processes, such as your organization’s computer use policy.
Every organization has a level of cybersecurity awareness training for its end-users — it’s just a matter of whether it’s at the “nonexistent” level or at the other end of the spectrum being comprehensively documented and well established. The good news is that global spending on security training for employees is predicted to increase and reach $10 billion by 2027, according to sources cited in the Security Awareness Training Report by Cybersecurity Ventures. This means more and more people are taking the threat seriously and understanding the impact users have as being a key component in cybersecurity protection.
Organizations who provide cybersecurity training to their end users know that this is the difference between having people who use computers versus those who have an awareness of and an informed approach to how computers should be used from a security perspective. This comes from having a cyber-aware culture that emphasizes the latter and has a training program in place to help employees achieve that level of awareness.
The Human Firewall
There are four critical components to building a truly effective human firewall:
- Performing Baseline Testing. The program starts by using simulated phishing attacks to determine a baseline of how phish-prone your business is. This will help you know where you stand and what you need to improve upon. After all, “you can’t manage what you don’t measure.” Information is key, and it’s how you improve things.
- Training All Users. This step involves providing current, on-demand, and engaging interactive content that includes common scenario-based exercises, traps, and hacking demonstrations. Training should be integrated into the new hire onboarding process and also should be an ongoing effort. Furthermore, training should not be limited by a person’s title or rank: It needs to be given to everyone.
- Phishing Your Users. The best programs provide a way to test your users on a recurring basis via fully automated and ongoing simulated phishing attacks and topical templates. Even when testing shows that susceptibility has decreased, continue testing anyway. This helps to keep security front of mind for employees and also gives IT staff a way to analyze and adjust their tactics to improve them over time.
- Managing by Results. Much like the concept of “wash, rinse, repeat,” it’s important for organizations to test, fine tune the results, and repeat based on the new information.
Employee Password Protection
Password security is a crucial to your organization’s security as well. While having a strong password that combines characters, capitalizations, and numbers is excellent, it won’t matter if users recycle their password between different accounts. Research by Keeper Security shows that the overwhelming majority of surveyed users are doing precisely that. The survey of 1,000 users showed that 87% of users between the ages of 18 and 30 share or reuse their passwords between multiple accounts, as do 81% of people age 31 and above.
Implementing and enforcing an effective password policy will help to protect the integrity and security of your organization’s data and other resources. This kind of policy outlines rules and roles of responsibilities including how passwords are managed, such as via a password management system, and how access to that system is managed.
Be sure to provide copies of the email policy to employees and have them read and sign it. This provides an additional layer of legal protection for your business should employee password carelessness create a vulnerability in your security.
You can read about this and other cybersecurity areas of concern in our new eBook “The CFO’s Guide to Cybersecurity.”
What are you doing to build a “human firewall” at your organization? Share your thoughts and experiences in the comments section below or send me an email to chat about the topic more in depth.