In Cybersecurity, Employees are Both the Weakest Link and Best Guards Against Breach
With each new privacy standard that becomes law, a process that has become commonplace in recent years, one core tenet remains unchanged: businesses must be cyber resilient with every employee in an organization receiving regularly scheduled cybersecurity training. This standard is codified in many recent laws and privacy standards, including the standards proposed by the Federal Reserve, which are the subjects of this article (here). It also just makes good sense because the leading cause of data breaches is human error.
This is quite obvious in phishing and pretexting schemes, which account for 98 percent of breaches. But a cyber-resilient workforce goes beyond just knowing not to click on suspicious links. It’s about creating a culture of vigilance, preparing for a breach and creating and maintaining procedures to mitigate risk and expedite recovery. It is not enough to buy the latest and greatest technology if employees do not know how to properly use it. Anuj Goel, of IBM’s Security Intelligence blog, writes that humans are just another operating system with inherent design flaws that must be patched. He adds, “Many organizations deploy phishing filters, advanced firewalls, network access controls, and endpoint scanning tools. But no technology can account for human error entirely.”
Capital One learned this the hard way when data from 100 million credit card applications were compromised in a breach because its employees had not received the necessary training to properly configure a firewall. A very similar situation confronted Equifax where employees not only failed to patch a server but also left the personally identifiable information of 147 million people on a public-facing server guarded by the password: “admin.” This is what’s called bad cybersecurity hygiene. In cybersecurity, the data convincingly shows that humans are the problem.
The Harvard Business Review suggested that businesses should change their approach to fighting cyber threats in a May 2017 article by Dante Disparte and Chris Furlow:
“It’s better to assume your defenses will be breached and to train your people in what to do when that happens. Instead of “risk management,” we propose thinking of it as ‘risk agility.’ All employees should not only understand what is expected of them regarding company policy and online behavior but also be trained to recognize nefarious or suspicious activity.”
Carlos Solari, Advisory Board Chair of the Association of Data and Cyber Governance concurs. Solari, a cybersecurity expert who has served as a CIO at the White House, says the only way to create cyber resilience is to assure that everyone is talking about cybersecurity all the time. “Cybersecurity is a team effort,” he says in a post about business leaders taking responsibility for creating a culture of cyber resilience. “Only when cybersecurity compliance becomes part of mainstream management practices will we see fewer breaches.”
Cybersecurity Training: A Necessary Investment
The good news is that people can be trained quickly and inexpensively. While cybersecurity training comes with an upfront and recurring cost, it typically does not cost as much as implementing new technology that becomes obsolete in a year. Nor does it cost as much as a breach, which, according to IBM, costs an average of about $3.92 million. This number will likely reach an aggregate of billions of dollars once CCPA takes effect. The question could be posed, “Why buy artificially intelligent cybersecurity technology when the real thing in the form of intelligent human beings is available – and motivated to learn?
The catch is that cybersecurity training functions like vaccinations. All it takes is one employee clicking a phishing link and suddenly everyone in the office is compromised. In a similar vein, all it takes is one employee to notice that something is off, like a misspelled name or a subject line with atypical syntax, to stop a massive breach. So training is a necessary cost and budgets should be constructed to reflect this reality. The only question is what cybersecurity training should look like and contain. National Law Review advises organizations to develop a two-pronged approach to training, passive and active.
Passive training can range from periodic newsletters and email updates that remind employees to be vigilant for seasonal hacks, like spoofed tracking URLs during the holiday season. Passive training can also refer to a restructuring of organizational security protocols like changing an organization’s rules and workflows to “reprogram” employee behavior. Think of this as the anti-terrorism “See Something, Say Something” campaigns employed by the Department of Homeland Security. The value of reminding citizens and employees to be constantly aware of threats is apparent and cannot be understated. Tricking employees into sending information to hackers posing as higher-ups is one of the most successful tactics of phishing schemes, a topic we cover here TKADDLINK. (JMI – be sure to fill this in) Company culture must be reformatted to make employees comfortable about questioning requests for information, even when the request comes from their boss.
Active training means conducting formal programs for employees throughout the organization. There are several formats the training can take. According to a recent article in Forbes, PwC and Intuit decided to build video games to teach their employees. That is an option. The point is that it is important to make cybersecurity training engaging to help increase retention. It is also important to make sure that training is relevant and targeted. All employees need training in identifying phishing and pretexting schemes. It should not be forgotten that the C-Suite also requires training in developing a business continuity and recovery plan. The legal team must be trained on recent data privacy and protection laws, regulations and standards.
Hire an Expert
Finding or developing training that covers all these bases, from compliance to threat detection, is complicated and difficult. Businesses should conduct internal and external audits to determine where employee knowledge gaps exist and how to bridge them. It often best to bring in a trusted and credentialed consultant. It is not advisable that businesses embark on an ongoing cybersecurity training program without the help of an expert. In the larger institutions, it is well worth a few hundred thousand dollars per year, which is the average cost of cybersecurity training for a large enterprise, to avoid spending many millions on a breach.