Strengthening the Human Firewall
Security Awareness Training: Change Employee Behavior and Reduce RiskBy: Mike Cote
Many high-profile cybersecurity breaches occur when hackers target an organization's weakest link: it's people.
Over-reliance on technology and failure to apply the human factor can leave& companies exposed to attacks, leading to the loss of valuable intellectual property, reputation, and revenue. From the IT trenches to the C-suite, the right people must be organized in the right ways to make security programs work. Three key areas that deserve the board's and CEO's attention are:
Expertise and Staffing
Accept that you will be compromised. A "win" in today's cyber-threat environment is defined by how quickly and effectively your company is able to respond to hackers and extricate them from your systems. It requires a significant level of manpower and expertise on a daily basis, but there is no substitute for it today. A properly organized and staffed security team requires people with a variety of skills and certifications to deploy the technologies, understand the threats, determine hacker motives, fix vulnerabilities, and deflect attacks. Security leaders need the management skills to put the right processes and procedures in place, advocate for security requirements, and communicate risk to corporate leaders. Defensive technologies cannot be used to full advantage without highly skilled people who can turn the data into actionable intelligence.
Leadership and Accountability
Communicating cyber- security priorities is no longer just an IT job. It requires a tone at the top. Those of us leading the company must ensure that employees appreciate the cybersecurity risks, understand the risk tolerance, and support agreed-upon mitigation strategies. Business enablement often trumps security in the interest of going to market quickly, and only business leaders can ensure that checks and balances are in place to hold management and employees accountable.
44% of organizations say they are dissatisfied with investment in cybersecurity technology because they lack the in-house expertise to leverage it.
- Ponemon Institute, 2015
Awareness and Training
An informed, vigilant workforce is one of the most important defenses against cyberattacks. Hackers know that most workers tend to be helpful and trusting, so they execute attack strategies that exploit human vulnerabilities. Even boardroom leaders are targeted and fall victim to socially engineered emails that deploy malicious cyber weapons into the company's network.
An effective human firewall depends on a culture of vigilance that helps change user behavior to mitigate risk. The best employee programs simulate real-world hackers and provide on-the-spot training when employees fall victim.
Applying the human factor can be difficult in companies today because of the global shortage of qualified information security professionals. One leading practice that many of our clients have adopted is to optimize their existing resources and outsource some of the expertise and operations that a mature security strategy requires. A reputable managed security services firm can also help test the effectiveness of security operations and provide employee awareness training to align technology, people, and processes against the threats.
AS SEEN IN HARVARD BUSINESS REVIEW, OCT. 2015