At Black Hat 2018 last week, Google discussed their vision for users to not have to think about cybersecurity at all, similar to how we think about breathing. However, in all of my years of working in the cybersecurity sector, from the Israeli Defense Forces’ Intelligence Corps Unit to my years at the government’s National Cyber Bureau, I’ve learned that trusting in software and technology capabilities alone is never a good option – especially when you are working with critical infrastructure and larger organizations. According to the Ponemon Institute’s 2017 Cost of Data Breach Study, 69 percent of respondents believe their software is insufficient to block the cyber threats they are currently facing.
A broader look at cyber training
Additional training and education is needed at every level of an organization – from mailroom to boardroom – to address the growing concerns of vulnerabilities within the financial, insurance, energy, and critical infrastructure sectors – not reliance on a reactive approach from tech giants. As online threats become more sophisticated, complex and multifaceted, untrained employees become more of a security risk than ever. According to Experian’s Managing Insider Risk Through Training & Culture Report, employees are not knowledgeable or have no knowledge of the company’s security risks. This is a huge concern in and of itself, and particularly when these employees are the first responders to address vulnerabilities in your company’s critical IT infrastructure.
Cybersecurity knowledge is not a responsibility of only the IT or OT departments, but of the organization as a whole. Training a workforce how to act before and during a cyber-attack is imperative to any organization’s cyber defense. Even if one employee or manager opens an innocent-looking malicious email attachment, the whole organization could be open to an attack, regardless of the efforts and money you put in your cybersecurity technologies.
A ransomware or any other socially engineered attack, requires making crucial, quickfire decisions, such as whether to pay the ransom, and when to release public statements and share information with the relevant agencies. According to Kaspersky, in the highly publicized WannaCry epidemic, the human factor played a major role in the vulnerability of organizations worldwide. They found that two months after the disclosed vulnerabilities had been patched with a new update from Microsoft, many organizations still hadn’t updated their systems – leading to several new cases of the damaging ransomware.
Executives and managers need to make the ultimate cybersecurity decisions, but in the throes of an attack, it can be multiple, simultaneous decisions across a global footprint. In CompTIA’s International Trends in Cybersecurity research, 52 percent of respondents felt cybersecurity issues were caused by human factors. Most cybersecurity breaches were caused due to a direct effect of users who were lured by nondescript links and payloads delivered via browsers and email, respectively.
Knowing how people will react to a cybersecurity breach is as important as defending against cyber-attacks. Go beyond technology with programs that balance people with policies and technologies. Make sure every employee knows the basics. The best cybersecurity defense is the ability to make decisions. When it comes to risk management and being equipped to deal with a cyber-attack, quick decision-making and cybersecurity knowledge is more important than any technology.
Humans are on the frontline. Literally.
The human factor is the weakest link in both prevention and mitigation of cyber breaches, while the best defense is to test and train people on security policies, technology and tools. The current trend in cybersecurity is recreating an actual working environment and putting employees in the midst of a very real cyber-attack that they must defend against. Businesses across the globe are now signing up employees to endure the hands-on perils of cyber-attacks. In a real-life situation, theory meets practice – with real-world consequences.
Employees across the globe, from the very junior to the CEO and directors, are the first line of defense. Increasingly, they are either expected to know the basics when it comes to prevention and mitigation of a cyber-attack and be trained in the methods. In the past, cybersecurity hasn’t been the average employee’s daily concern. Security tasks were delegated to the IT teams. But just one mistake from any employee across an entire organization can be very costly.
That’s why companies today are stress-testing and training every level of the organization, to gain a deeper understanding of the cyber threat landscape, the types of attacks they might face, and the impact these attacks can have. A holistic, organization-wide approach, that bridges and train the people with the policies and technologies, in a safe environment, is the most impactful, long-term and authentic way to prepare your business for the next wave of inevitable cyber-attacks.