Security is a People Problem, TooOrganizations Must Make a New Commitment to Education
Allan Bloom, an American philosopher, once said "Education is the movement from darkness to light." While companies must invest in technology to strengthen their defenses, they should not overlook the importance of educating employees and IT staff on the threat landscape as well as their role in protecting the organization.
Moving employees from "darkness" to "light" and equipping them with the appropriate tools and tactics requires a sustained effort that, while hard to measure, forms the foundation of an effective defense.
End users often lack familiarity with the techniques that cyber criminals use.
Let's review the elements of the people problem that organizations face, as well as the foundations of a robust education program.
The Problem with People
Anyone with experience in cybersecurity knows that attackers routinely target end users. The reason is simple - end users often lack familiarity with the techniques that cyber criminals use.
Attackers typically employ the following techniques to gain access to IT environments:
- SPAM emails that appear to come from legitimate companies or trusted sources, when in fact they contain links to sites controlled by the attacker;
- "Watering hole" attacks deliver malware via a common gathering point for people within a particular industry or function. For example, such an attack may take place via site that caters to accountants in the hope that the visitors can be compromised, providing an entry point into their respective companies; and
- Malvertising attacks designed to infect an end user's machine covertly during routine browsing activity.
Infected and Unsecure
If an end user experiences problems with their company computer, they will often avoid contacting the security department. Given how much employees depend upon technology, they fear that being without their computer for any period - however brief - will result in hours of lost time.
When an end user finally admits defeat and relinquishes control of their device to the IT department, they use any means at their disposal to carry on working, including the use of personal email, USB drives, online "box" storage, as well as printing the documents they need. While such tactics may violate the company's policies and procedures, employees often view such violations as necessary and forgivable. Consequently, they place the company and its data at even greater risk of attack.
The Talent Problem
Anyone with a connection to cybersecurity knows that there is a global talent shortage. The resources that do exist must dedicate their efforts to the most severe incidents. This affects the IT department's ability to help with some of the fundamental elements of the company's cybersecurity defenses.
In simple terms, given the dynamic threat environment companies face, the limited security resources in IT department cannot be everywhere at once.
Commitment to Education
The following components form the cornerstones of an effective education program that helps companies engage their employees in the fight against cyber criminals:
- Training must take place at all levels of the organization. Weak links exist from the C-Suite to the frontline. For the most part, attackers don't care which level of employee they compromise to gain access to an organization's network.
- Employees must gain a clear understanding of safe habits and know how to recognize suspicious activity. An education program should teach employees safe habits to ensure they know how to recognize and cease to click on potential malware, for example. It should also detail the steps to follow if an employee receives a suspicious message or unexpected attachment.
- Commit to continuing education of IT staff. Just as educating employees plays an important role in strengthening a company's ability to combat threats, IT employees must receive advanced training to better equip them to respond to the range of evolving threat landscape and advancing approaches to security.
Educating employees cannot stop attackers from attempting to breach a company's network. However, it can help move employees from the "darkness" of not understanding their roles and responsibilities in helping the company thwart attacks.
Ultimately, security must become a standardized, measured business process that the company commits to reviewing regularly and optimizing accordingly. An effective employee education program helps companies facilitate that goal by connecting the IT function and the business. In turn, this helps mature the organization's approach to combating cyber threats.
Cisco delivers intelligent cybersecurity for the real world, providing one of the industry's broadest portfolio of security solutions covering the broadest set of attack vectors. To learn more, visit www.cisco.com/security.
Paul McCormack, CFE, is a freelance business writer and consultant. His areas of expertise include accounting, banking, cloud computing, corporate governance, corruption, cybersecurity, executive protection, fraud, intellectual property and money laundering.