Cyber

Is your programme up to scratch?

by Mark Rowe

In the wake of three large scale global cyber attacks in the last year, people are asking how these attacks were allowed to come to fruition, writes David Smith, CISO at the cybersecurity software firm Nuix.

When information security professionals discuss common vulnerabilities, the conversation often focuses on the end user. We’ve all heard the tired clichés about “you are only as strong as your weakest link” and “stupid user tricks.” And hackers aren’t exempt from hearing these sayings either, which is why they regularly take advantage and target this human element. Despite the high profile media coverage of these attacks and years of warnings, many end users still download email attachments or click hyperlinks without paying attention. The weakest attack vector is the end user’s behaviour, and cybercriminals are aware of this. The creativity, ingenuity, and persistence of social engineering is impressive. If you examine almost any of the well-known corporate or government intrusions over the past few years, it becomes clear that social engineering was either the main avenue of attack or a major contributing factor.

We’re not reinventing the wheel here, this shouldn’t be a surprise to you. But just how much time do we spend securing the notoriously vulnerable “8th Layer?”

A new approach

I was recently asked to help redesign the information security training and awareness programme for the US Secret Service. While discussing the new approach to the programme a colleague said: “we want to change behaviour, not just meet a requirement.” This should be the norm for all information security training and awareness for all businesses and organisations around the globe. Any half-hearted attempt to educate users will always yield subpar results. Unfortunately, many organisations also approach information security with a tick box mentality. This is often due to standard business pressures such as resource or budgeting. It is too easy for harried CIOs and CISOs to post a boring information security course on the organisational intranet, check the box, and move on to their next item of business. However, if recent cyber attacks like Mirai, Wannacry, or Petya have taught us anything, it’s that organisations current cyber posture just isn’t enough.

So, what can you do? The most effective approach to information security training and awareness is to avoid the “one size fits all” model. Success will differ from one organisation to another, but the strongest approach will generally meet the following objectives:

Be meaningful

A strong approach will always keep the end user at front of mind. Disregard the tick box mentality and as you build your programme from the ground up, try and put yourself in their shoes or office chair.

An employee will often want to know “why should I care?” or “how does this apply to me?” Some of the most poignant learning occurs when the user makes the connection to his personal life as well as his professional one. Establishing a culture of security within an organisation is all about making sure every employee becomes part of the solution. Everyone from the c-suite to interns must realise that they have a direct impact on their organisation’s security.

Be unique

Design security programmes and courses that focus on different users within your organisation, recognising that different demographics comprise unique risks to the overall posture. For example, remote workers, senior executives, and information technology administrators will have very different security risk factors and requirements. Avoid just focusing on so-called role-based training (regular users vs. privileged users). Instead look to the user and their needs and provide a training regimen that reflects this. The key here is avoiding the one size fits all process.

Challenge the norm

Remember everyone within your organisation is busy, especially when it comes to mandatory training. It goes without saying, but avoid being boring or overly technical, if not, your audience will grind through it as quickly as possible in order to make it go away. Thereby undermining the lessons and behaviours you are trying to encourage.

Don’t get stuck in your ways

The cybersecurity threat landscape is constantly evolving. This raises a number of questions when it comes to security training. How often do your users receive training? How often is your information security content updated? If a major new security threat emerges in between scheduled training dates, how is that information relayed to users? Aim to avoid the once-a-year check box approach: A strong programme should provide constant information, reminders, and recommendations.

Strengthening the weakest link

One question all CIOs and CISOs should be asking themselves when evaluating their security posture is: “How much time and effort do I devote to training and educating my users?” When you consider the average employee works more than 1,700 hours annually. There is no contest when it comes devoting a few of those hours to cybersecurity awareness. Ultimately, the end user is both an organisation’s weakest and strongest asset. Security is a sliding scale that is completely under our control. The quality of your information security training and awareness programme, when coupled with a holistic approach to cybersecurity, including the right policies, tools, and technology—will determine where your organisation falls on the spectrum.

Related News

  • Cyber

    Spend on quantum

    by Mark Rowe

    The UK Department for Science, Innovation and Technology (DSIT) is announcing a £45m spend on quantum: £30m on quantum computers, and a…

  • Cyber

    Year of malicious code

    by Mark Rowe

    The year 2016 saw 702 million attempts to launch an exploit – malware that uses bugs in software to infect devices with…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing